diff --git a/evtx/Maps/Application-HitmanPro-Alert_911.map b/evtx/Maps/Application-HitmanPro-Alert_911.map
index f947a755..8a90fa73 100644
--- a/evtx/Maps/Application-HitmanPro-Alert_911.map
+++ b/evtx/Maps/Application-HitmanPro-Alert_911.map
@@ -2,6 +2,7 @@ Author: Mike Stewart mstew1968@gmail.com
 Description: HitmanPro ALERT Identified
 EventId: 911
 Channel: Application
+Provider: HitmanPro.Alert
 Maps: 
   - 
     Property: PayloadData1
diff --git a/evtx/Maps/Application-Sophos-Alert_32.map b/evtx/Maps/Application-Sophos-Alert_32.map
index 05e34b39..bfe2e11e 100644
--- a/evtx/Maps/Application-Sophos-Alert_32.map
+++ b/evtx/Maps/Application-Sophos-Alert_32.map
@@ -2,6 +2,7 @@ Author: Mike Stewart mstew1968@gmail.com
 Description: Sophos Alert Identified
 EventId: 32
 Channel: Application
+Provider: "Sophos Anti-Virus"
 Maps: 
   - 
     Property: PayloadData1
diff --git a/evtx/Maps/Application-Audit-CVE_1.map b/evtx/Maps/Application_Audit-CVE_1.map
similarity index 100%
rename from evtx/Maps/Application-Audit-CVE_1.map
rename to evtx/Maps/Application_Audit-CVE_1.map
diff --git a/evtx/Maps/Cisco-AnyConnect-Secure-Mobility-Client-2048.map b/evtx/Maps/Cisco-AnyConnect-Secure-Mobility-Client-2048.map
index 93ea0dd8..10eb51ac 100644
--- a/evtx/Maps/Cisco-AnyConnect-Secure-Mobility-Client-2048.map
+++ b/evtx/Maps/Cisco-AnyConnect-Secure-Mobility-Client-2048.map
@@ -1,8 +1,8 @@
-
 Author: Mike Brewer 
 Description: Cisco AnyConnect VPN encrypted connection type
 EventId: 2048
 Channel: "Cisco AnyConnect Secure Mobility Client"
+Provider: acvpnagent
 Maps: 
   - 
     Property: PayloadData1
diff --git a/evtx/Maps/Cisco-AnyConnect-Secure-Mobility-Client-2086.map b/evtx/Maps/Cisco-AnyConnect-Secure-Mobility-Client-2086.map
index f36034af..d02f90e9 100644
--- a/evtx/Maps/Cisco-AnyConnect-Secure-Mobility-Client-2086.map
+++ b/evtx/Maps/Cisco-AnyConnect-Secure-Mobility-Client-2086.map
@@ -2,6 +2,7 @@ Author: Mike Brewer
 Description: Cisco AnyConnect VPN reading host's IP 
 EventId: 2085
 Channel: "Cisco AnyConnect Secure Mobility Client"
+Provider: acvpnagent
 Maps: 
   - 
     Property: PayloadData1
diff --git a/evtx/Maps/Cisco-AnyConnect-Secure-Mobility-Client-2127.map b/evtx/Maps/Cisco-AnyConnect-Secure-Mobility-Client-2127.map
index f1d97663..e3efb85e 100644
--- a/evtx/Maps/Cisco-AnyConnect-Secure-Mobility-Client-2127.map
+++ b/evtx/Maps/Cisco-AnyConnect-Secure-Mobility-Client-2127.map
@@ -2,6 +2,7 @@ Author: Mike Brewer
 Description: Cisco AnyConnect VPN IP assigned
 EventId: 2127
 Channel: "Cisco AnyConnect Secure Mobility Client"
+Provider: acvpnagent
 Maps: 
   - 
     Property: PayloadData1
diff --git a/evtx/Maps/Cisco-AnyConnect-Secure-Mobility-Client-5005.map b/evtx/Maps/Cisco-AnyConnect-Secure-Mobility-Client-5005.map
index 24ff9baf..c0574892 100644
--- a/evtx/Maps/Cisco-AnyConnect-Secure-Mobility-Client-5005.map
+++ b/evtx/Maps/Cisco-AnyConnect-Secure-Mobility-Client-5005.map
@@ -2,6 +2,7 @@ Author: Mike Brewer
 Description: Cisco AnyConnect VPN connecting to target gateway X
 EventId: 5005
 Channel: "Cisco AnyConnect Secure Mobility Client"
+Provider: acvpndownloader
 Maps: 
   - 
     Property: PayloadData1
diff --git a/evtx/Maps/Microsoft-DriverFrameworks-UserMode_2100.map b/evtx/Maps/Microsoft-DriverFrameworks-UserMode_2100.map
deleted file mode 100644
index 66f208c1..00000000
--- a/evtx/Maps/Microsoft-DriverFrameworks-UserMode_2100.map
+++ /dev/null
@@ -1,58 +0,0 @@
-Author: Hyun Yi @hyuunnn
-Description: USB Connection
-EventId: 2100
-Channel: "Microsoft-Windows-DriverFrameworks-UserMode/Operational"
-Maps:
-  -
-    Property: PayloadData1
-    PropertyValue: "InstanceId: %InstanceId%"
-    Values:
-      -
-        Name: InstanceId
-        Value: "/Event/UserData/UMDFHostDeviceRequest/InstanceId"
-  -
-    Property: PayloadData2
-    PropertyValue: "LifetimeId: %LifetimeId%"
-    Values:
-      -
-        Name: LifetimeId
-        Value: "/Event/UserData/UMDFHostDeviceRequest/LifetimeId"
-        
-# Valid properties include:
-
-# <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-#   <System>
-#     <Provider Name="Microsoft-Windows-DriverFrameworks-UserMode" Guid="{GUID}" /> 
-#     <EventID>2100</EventID> 
-#     <Version>1</Version> 
-#     <Level>4</Level> 
-#     <Task>37</Task> 
-#     <Opcode>1</Opcode> 
-#     <Keywords>0x8000000000000000</Keywords> 
-#     <TimeCreated SystemTime="2020-12-06T08:47:21.6579567Z" /> 
-#     <EventRecordID>27</EventRecordID> 
-#     <Correlation /> 
-#     <Execution ProcessID="2184" ThreadID="8936" /> 
-#     <Channel>Microsoft-Windows-DriverFrameworks-UserMode/Operational</Channel> 
-#     <Computer>ComputerName</Computer> 
-#     <Security UserID="S-1-5-19" /> 
-#   </System>
-#   <UserData>
-#     <UMDFHostDeviceRequest xmlns="http://www.microsoft.com/DriverFrameworks/UserMode/Event">
-#         <LifetimeId>{Value}</LifetimeId> 
-#         <InstanceId>SWD\WPDBUSENUM\_??_USBSTOR#DISK&VEN_SANDISK&PROD_CRUZER_BLADE&REV_1.27#{Value}&0#{Value}</InstanceId> 
-#         <RequestMajorCode>27</RequestMajorCode> 
-#         <RequestMinorCode>0</RequestMinorCode> 
-#         <Argument1>0x0</Argument1> 
-#         <Argument2>0x0</Argument2> 
-#         <Argument3>0x0</Argument3> 
-#         <Argument4>0x0</Argument4> 
-#         <Status>3221225659</Status> 
-#     </UMDFHostDeviceRequest>
-#   </UserData>
-# </Event>
-# 
-# Windows Vista, 7 : enable (default)
-# Windows 8~ : disable (default)
-# https://nxlog.co/documentation/nxlog-user-guide/windows-usb-auditing.html
-# https://www.reddit.com/r/sysadmin/comments/4dr2t2/security_guy_wants_to_log_usb_storage_devices_on/
\ No newline at end of file
diff --git a/evtx/Maps/Microsoft-Windows-AppID_4004.map b/evtx/Maps/Microsoft-Windows-AppID_4004.map
index b6d8d9e7..6672a019 100644
--- a/evtx/Maps/Microsoft-Windows-AppID_4004.map
+++ b/evtx/Maps/Microsoft-Windows-AppID_4004.map
@@ -2,6 +2,7 @@ Author: Phill Moore
 Description: Code Signature Verification
 EventId: 4004
 Channel: "Microsoft-Windows-AppID/Operational"
+Provider: Microsoft-Windows-AppID
 Maps: 
   - 
     Property: ExecutableInfo
diff --git a/evtx/Maps/Microsoft-Windows-AppLocker-EXE_and_DLL_8002.map b/evtx/Maps/Microsoft-Windows-AppLocker-EXE_and_DLL_8002.map
index 1e1dbecf..44e64ab1 100644
--- a/evtx/Maps/Microsoft-Windows-AppLocker-EXE_and_DLL_8002.map
+++ b/evtx/Maps/Microsoft-Windows-AppLocker-EXE_and_DLL_8002.map
@@ -2,6 +2,7 @@ Author: Phill Moore
 Description: An executable was allowed to run
 EventId: 8002
 Channel: Microsoft-Windows-AppLocker/EXE and DLL
+Provider: Microsoft-Windows-AppLocker
 Maps: 
   - 
     Property: ExecutableInfo
diff --git a/evtx/Maps/Microsoft-Windows-AppLocker-EXE_and_DLL_8004.map b/evtx/Maps/Microsoft-Windows-AppLocker-EXE_and_DLL_8004.map
index 18a7c02e..b7df1fde 100644
--- a/evtx/Maps/Microsoft-Windows-AppLocker-EXE_and_DLL_8004.map
+++ b/evtx/Maps/Microsoft-Windows-AppLocker-EXE_and_DLL_8004.map
@@ -2,6 +2,7 @@ Author: Troy Larson
 Description: An executable was prevented from running.
 EventId: 8004
 Channel: Microsoft-Windows-AppLocker/EXE and DLL
+Provider: Microsoft-Windows-AppLocker
 Maps: 
   - 
     Property: ExecutableInfo
diff --git a/evtx/Maps/Microsoft-Windows-AppLocker-MSI_and_Script_8005.map b/evtx/Maps/Microsoft-Windows-AppLocker-MSI_and_Script_8005.map
index d1623127..45d16f31 100644
--- a/evtx/Maps/Microsoft-Windows-AppLocker-MSI_and_Script_8005.map
+++ b/evtx/Maps/Microsoft-Windows-AppLocker-MSI_and_Script_8005.map
@@ -2,6 +2,7 @@ Author: Phill Moore\Troy Larson
 Description: A script or MSI was allowed to run.
 EventId: 8005
 Channel: Microsoft-Windows-AppLocker/MSI and Script
+Provider: Microsoft-Windows-AppLocker
 Maps: 
   - 
     Property: ExecutableInfo
diff --git a/evtx/Maps/Microsoft-Windows-AppLocker-MSI_and_Script_8007.map b/evtx/Maps/Microsoft-Windows-AppLocker-MSI_and_Script_8007.map
index 8f5ca136..d199a9d1 100644
--- a/evtx/Maps/Microsoft-Windows-AppLocker-MSI_and_Script_8007.map
+++ b/evtx/Maps/Microsoft-Windows-AppLocker-MSI_and_Script_8007.map
@@ -2,6 +2,7 @@ Author: Troy Larson
 Description: A script or MSI was prevented from running.
 EventId: 8007
 Channel: Microsoft-Windows-AppLocker/MSI and Script
+Provider: Microsoft-Windows-AppLocker
 Maps: 
   - 
     Property: ExecutableInfo
diff --git a/evtx/Maps/Microsoft-Windows-AppLocker-PackagedApp-Exec_8020.map b/evtx/Maps/Microsoft-Windows-AppLocker-PackagedApp-Exec_8020.map
index 041d17c3..9ba2f556 100644
--- a/evtx/Maps/Microsoft-Windows-AppLocker-PackagedApp-Exec_8020.map
+++ b/evtx/Maps/Microsoft-Windows-AppLocker-PackagedApp-Exec_8020.map
@@ -1,7 +1,8 @@
 Author: Troy Larson
 Description: A packaged app was allowed to run.
 EventId: 8020
-Channel: Microsoft-Windows-AppLocker/Packaged app-Execution
+Channel: "Microsoft-Windows-AppLocker/Packaged app-Execution"
+Provider: Microsoft-Windows-AppLocker
 Maps: 
   - 
     Property: ExecutableInfo
diff --git a/evtx/Maps/Microsoft-Windows-Application-Experience_Program-Telemetry_500.map b/evtx/Maps/Microsoft-Windows-Application-Experience_Program-Telemetry_500.map
index 7fcb38b8..8236244f 100644
--- a/evtx/Maps/Microsoft-Windows-Application-Experience_Program-Telemetry_500.map
+++ b/evtx/Maps/Microsoft-Windows-Application-Experience_Program-Telemetry_500.map
@@ -2,6 +2,7 @@ Author: Mike Pilkington
 Description: Application Experience Program Telemetry
 EventId: 500
 Channel: "Microsoft-Windows-Application-Experience/Program-Telemetry"
+Provider: Microsoft-Windows-Application-Experience
 Maps:
   - 
     Property: ExecutableInfo
@@ -30,15 +31,33 @@ Maps:
 # RemoteHost
 # ExecutableInfo --> used for things like process command line, scheduled task, info from service install, etc.
 # PayloadData1 through PayloadData6
-
+#
 # Example payload data
+#<Event>
+#  <System>
+#    <Provider Name="Microsoft-Windows-Application-Experience" Guid="eef99e71-0661-422d-9a98-82fd4940b820" />
+#    <EventID>500</EventID>
+#    <Version>0</Version>
+#    <Level>4</Level>
+#    <Task>0</Task>
+#    <Opcode>0</Opcode>
+#    <Keywords>0x1000000000090000</Keywords>
+#    <TimeCreated SystemTime="2018-06-25 01:16:27.4365335" />
+#    <EventRecordID>5108</EventRecordID>
+#    <Correlation />
+#    <Execution ProcessID="13764" ThreadID="48912" />
+#    <Channel>Microsoft-Windows-Application-Experience/Program-Telemetry</Channel>
+#    <Computer>HOSTNAME.domain.com</Computer>
+#    <Security UserID="S-1-5-20" />
+#  </System>
 #  <UserData>
 #    <CompatibilityFixEvent>
-#      <ProcessId>3724</ProcessId>
-#      <StartTime>2019-03-19 20:48:33.4095392</StartTime>
-#      <FixID>8a23a24a-9a8d-44b6-a6d4-556c53a289b5</FixID>
-#      <Flags>0x10205</Flags>
-#      <ExePath>C:\Windows\System32\osk.exe</ExePath>
-#      <FixName>CorrectFilePaths</FixName>
+#      <ProcessId>13764</ProcessId>
+#      <StartTime>2018-06-25 01:16:27.4365335</StartTime>
+#      <FixID>1c2d23t3-dcd2-41e3-bd0b-25f05028c655</FixID>
+#      <Flags>0x40679</Flags>
+#      <ExePath>C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\mpam-btba83b0.exe</ExePath>
+#      <FixName>RunAsInvoker</FixName>
 #    </CompatibilityFixEvent>
-#  </UserData>
\ No newline at end of file
+#  </UserData>
+#</Event>
diff --git a/evtx/Maps/Microsoft-Windows-Application-Experience_Program-Telemetry_505.map b/evtx/Maps/Microsoft-Windows-Application-Experience_Program-Telemetry_505.map
index 0620babe..9f5fba2d 100644
--- a/evtx/Maps/Microsoft-Windows-Application-Experience_Program-Telemetry_505.map
+++ b/evtx/Maps/Microsoft-Windows-Application-Experience_Program-Telemetry_505.map
@@ -2,6 +2,7 @@ Author: Mike Pilkington
 Description: Application Experience Program Telemetry
 EventId: 505
 Channel: "Microsoft-Windows-Application-Experience/Program-Telemetry"
+Provider: Microsoft-Windows-Application-Experience
 Maps:
   - 
     Property: ExecutableInfo
@@ -32,13 +33,31 @@ Maps:
 # PayloadData1 through PayloadData6
 
 # Example payload data
+#<Event>
+#  <System>
+#    <Provider Name="Microsoft-Windows-Application-Experience" Guid="eef578991-0661-422d-9a98-82fd4940b820" />
+#    <EventID>505</EventID>
+#    <Version>0</Version>
+#    <Level>4</Level>
+#    <Task>0</Task>
+#    <Opcode>0</Opcode>
+#    <Keywords>0x800000000009000</Keywords>
+#    <TimeCreated SystemTime="2020-06-04 04:17:46.8612022" />
+#    <EventRecordID>1026</EventRecordID>
+#    <Correlation />
+#    <Execution ProcessID="679" ThreadID="844" />
+#    <Channel>Microsoft-Windows-Application-Experience/Program-Telemetry</Channel>
+#    <Computer>HOSTNAME.domain.com</Computer>
+#    <Security UserID="S-1-5-18" />
+#  </System>
 #  <UserData>
 #    <CompatibilityFixEvent>
-#      <ProcessId>3724</ProcessId>
-#      <StartTime>2019-03-19 20:48:33.4095392</StartTime>
-#      <FixID>8a23a24a-9a8d-44b6-a6d4-556c53a289b5</FixID>
-#      <Flags>0x10205</Flags>
-#      <ExePath>C:\Windows\System32\osk.exe</ExePath>
-#      <FixName>CorrectFilePaths</FixName>
+#      <ProcessId>679</ProcessId>
+#      <StartTime>2020-06-04 04:17:46.6533916</StartTime>
+#      <FixID>f62f1235-e0e3-43b9-8e00-3e2fdff449ab</FixID>
+#      <Flags>0x80013101</Flags>
+#      <ExePath>C:\Program Files\Microsoft Security Client\MsMpEng.exe</ExePath>
+#      <FixName>Microsoft Forefront Endpoint Protection 2010</FixName>
 #    </CompatibilityFixEvent>
-#  </UserData>
\ No newline at end of file
+#  </UserData>
+#</Event>
diff --git a/evtx/Maps/Microsoft-Windows-Bits-Client_Operational_59.map b/evtx/Maps/Microsoft-Windows-Bits-Client_Operational_59.map
index 054867f6..a76362bf 100644
--- a/evtx/Maps/Microsoft-Windows-Bits-Client_Operational_59.map
+++ b/evtx/Maps/Microsoft-Windows-Bits-Client_Operational_59.map
@@ -2,14 +2,8 @@ Author: Mark Hallman mark.hallman@gmail.com
 Description: Potential artifacts for Bitsadminexec
 EventId: 59
 Channel: Microsoft-Windows-Bits-Client/Operational
+Provider: Microsoft-Windows-Bits-Client
 Maps:
-#   -  
-#     Property: PayloadData1
-#     PropertyValue: desc "%desc%"
-#     Values: 
-#       - 
-#         Name: desc
-#         Value: "/Event/EventData/Data[@Name=\"name\"]"
    -
     Property: PayloadData2
     PropertyValue: url "%url%"
@@ -32,16 +26,40 @@ Maps:
         Name: fileLength
         Value: "/Event/EventData/Data[@Name=\"fileLength\"]" 
 
-#       <EventData>
-#       <Data Name="transferId">{2515f08c-3969-4086-b4ec-6e8eca6b722e}</Data>
-#       <Data Name="name">backdoor</Data>
-#       <Data Name="Id">{b35c4a1d-4425-45be-92d1-b67183ae222f}</Data>
-#       <Data Name="url">C:\Windows\system32\cmd.exe</Data>
-#       <Data Name="peer">
-#       </Data>
-#       <Data Name="fileTime">2010-11-20T12:17:00.401000000Z</Data>
-#       <Data Name="fileLength">302592</Data>
-#       <Data Name="bytesTotal">302592</Data>
-#       <Data Name="bytesTransferred">0</Data>
-#       <Data Name="bytesTransferredFromPeer">0</Data>
-#     </EventData>
+# Valid properties include:
+# UserName
+# RemoteHost
+# ExecutableInfo --> used for things like process command line, scheduled task, info from service install, etc.
+# PayloadData1 through PayloadData6
+
+# Example payload data
+#<Event>
+#  <System>
+#    <Provider Name="Microsoft-Windows-Bits-Client" Guid="ef6y679b-46c1-414e-bb95-e76b077bd51e" />
+#    <EventID>59</EventID>
+#    <Version>1</Version>
+#    <Level>4</Level>
+#    <Task>0</Task>
+#    <Opcode>1</Opcode>
+#    <Keywords>0x4000900000000000</Keywords>
+#    <TimeCreated SystemTime="2019-02-17 11:23:12.2815793" />
+#    <EventRecordID>16907</EventRecordID>
+#    <Correlation ActivityID="f56796f9-02a6-4bdf-9967-f21c8f1d4b54" />
+#    <Execution ProcessID="679" ThreadID="2580" />
+#    <Channel>Microsoft-Windows-Bits-Client/Operational</Channel>
+#    <Computer>HOSTNAME.domain.com</Computer>
+#    <Security UserID="S-1-5-18" />
+#  </System>
+#  <EventData>
+#    <Data Name="transferId">f5e116f9-02a6-4bdf-9967-f21c8f1d4b54</Data>
+#    <Data Name="name">name</Data>
+#    <Data Name="Id">c29ef679-6c03-4644-992d-b7fe884e117b</Data>
+#    <Data Name="url">URL</Data>
+#    <Data Name="peer"></Data>
+#    <Data Name="fileTime">2001-01-01 00:00:00.0000000</Data>
+#    <Data Name="fileLength">679</Data>
+#    <Data Name="bytesTotal">679</Data>
+#    <Data Name="bytesTransferred">0</Data>
+#    <Data Name="bytesTransferredFromPeer">0</Data>
+#  </EventData>
+#</Event>
diff --git a/evtx/Maps/Microsoft-Windows-Diagnostics-Performance_Operational_100.map b/evtx/Maps/Microsoft-Windows-Diagnostics-Performance_Operational_100.map
index 285c07a9..68c08af8 100644
--- a/evtx/Maps/Microsoft-Windows-Diagnostics-Performance_Operational_100.map
+++ b/evtx/Maps/Microsoft-Windows-Diagnostics-Performance_Operational_100.map
@@ -2,6 +2,7 @@ Author: Hyun Yi @hyuunnn
 Description: Windows System was started.
 EventId: 100
 Channel: "Microsoft-Windows-Diagnostics-Performance/Operational"
+Provider: Microsoft-Windows-Diagnostics-Performance
 Maps:
   -
     Property: PayloadData1
diff --git a/evtx/Maps/Microsoft-Windows-Diagnostics-Performance_Operational_200.map b/evtx/Maps/Microsoft-Windows-Diagnostics-Performance_Operational_200.map
index d1065771..69736d8c 100644
--- a/evtx/Maps/Microsoft-Windows-Diagnostics-Performance_Operational_200.map
+++ b/evtx/Maps/Microsoft-Windows-Diagnostics-Performance_Operational_200.map
@@ -2,6 +2,7 @@ Author: Hyun Yi @hyuunnn
 Description: Windows System was shutdown.
 EventId: 200
 Channel: "Microsoft-Windows-Diagnostics-Performance/Operational"
+Provider: Microsoft-Windows-Diagnostics-Performance
 Maps:
   -
     Property: PayloadData1
diff --git a/evtx/Maps/Microsoft-Windows-Hyper-V-VMMS-Admin_13002.map b/evtx/Maps/Microsoft-Windows-Hyper-V-VMMS-Admin_13002.map
index 9b27b0be..df313baf 100644
--- a/evtx/Maps/Microsoft-Windows-Hyper-V-VMMS-Admin_13002.map
+++ b/evtx/Maps/Microsoft-Windows-Hyper-V-VMMS-Admin_13002.map
@@ -2,6 +2,7 @@ Author: Phill Moore
 Description: A new Hyper-V VM was created
 EventId: 13002
 Channel: "Microsoft-Windows-Hyper-V-VMMS-Admin"
+Provider: Microsoft-Windows-Hyper-V-Worker
 Maps:
   - 
     Property: PayloadData1
diff --git a/evtx/Maps/Microsoft-Windows-Hyper-V-Worker-Admin_18500.map b/evtx/Maps/Microsoft-Windows-Hyper-V-Worker-Admin_18500.map
index 36c5b949..95993181 100644
--- a/evtx/Maps/Microsoft-Windows-Hyper-V-Worker-Admin_18500.map
+++ b/evtx/Maps/Microsoft-Windows-Hyper-V-Worker-Admin_18500.map
@@ -2,6 +2,7 @@ Author: Phill Moore
 Description: Hyper-V VM started successfully
 EventId: 18500
 Channel: "Microsoft-Windows-Hyper-V-Worker-Admin"
+Provider: Microsoft-Windows-Hyper-V-Worker
 Maps:
   - 
     Property: PayloadData1
diff --git a/evtx/Maps/Microsoft-Windows-Hyper-V-Worker-Admin_18502.map b/evtx/Maps/Microsoft-Windows-Hyper-V-Worker-Admin_18502.map
index 4015124b..5f70b1ce 100644
--- a/evtx/Maps/Microsoft-Windows-Hyper-V-Worker-Admin_18502.map
+++ b/evtx/Maps/Microsoft-Windows-Hyper-V-Worker-Admin_18502.map
@@ -2,6 +2,7 @@ Author: Phill Moore
 Description: Hyper-V VM shutdown
 EventId: 18502
 Channel: "Microsoft-Windows-Hyper-V-Worker-Admin"
+Provider: Microsoft-Windows-Hyper-V-Worker
 Maps:
   - 
     Property: PayloadData1
diff --git a/evtx/Maps/Microsoft-Windows-Hyper-V-Worker-Admin_18508.map b/evtx/Maps/Microsoft-Windows-Hyper-V-Worker-Admin_18508.map
index 52b6b065..c9977e0a 100644
--- a/evtx/Maps/Microsoft-Windows-Hyper-V-Worker-Admin_18508.map
+++ b/evtx/Maps/Microsoft-Windows-Hyper-V-Worker-Admin_18508.map
@@ -2,6 +2,7 @@ Author: Phill Moore
 Description: Hyper-V VM started successfully
 EventId: 18508
 Channel: "Microsoft-Windows-Hyper-V-Worker-Admin"
+Provider: Microsoft-Windows-Hyper-V-Worker
 Maps:
   - 
     Property: PayloadData1
diff --git a/evtx/Maps/Microsoft-Windows-Hyper-V-Worker-Admin_18514.map b/evtx/Maps/Microsoft-Windows-Hyper-V-Worker-Admin_18514.map
index ce257bd7..e650d3dd 100644
--- a/evtx/Maps/Microsoft-Windows-Hyper-V-Worker-Admin_18514.map
+++ b/evtx/Maps/Microsoft-Windows-Hyper-V-Worker-Admin_18514.map
@@ -2,6 +2,7 @@ Author: Phill Moore
 Description: Hyper-V VM reset by guest OS
 EventId: 18514
 Channel: "Microsoft-Windows-Hyper-V-Worker-Admin"
+Provider: Microsoft-Windows-Hyper-V-Worker
 Maps:
   - 
     Property: PayloadData1
@@ -19,3 +20,28 @@ Maps:
 # RemoteHost
 # ExecutableInfo --> used for things like process command line, scheduled task, info from service install, etc.
 # PayloadData1 through PayloadData6
+#
+#<Event>
+#  <System>
+#    <Provider Name="Microsoft-Windows-Hyper-V-Worker" Guid="51hhfa29-d5c8-4803-be4b-2ecb715570fe" />
+#    <EventID>18514</EventID>
+#    <Version>0</Version>
+#    <Level>4</Level>
+#    <Task>0</Task>
+#    <Opcode>0</Opcode>
+#    <Keywords>0x8000009000000000</Keywords>
+#    <TimeCreated SystemTime="2017-06-29 16:11:21.4060164" />
+#    <EventRecordID>11</EventRecordID>
+#    <Correlation ActivityID="26u7845f-f0e5-0002-36d2-1426e5hu67201" />
+#    <Execution ProcessID="3679" ThreadID="4160" />
+#    <Channel>Microsoft-Windows-Hyper-V-Worker-Admin</Channel>
+#    <Computer>hostname.local</Computer>
+#    <Security UserID="S-1-5-83-1-13653876587404322-7657865864-353797533-86545485" />
+#  </System>
+#  <UserData>
+#    <VmlEventLog>
+#      <VmName>VMName</VmName>
+#      <VmId>5160E402-6A79-4E1B-9A91-16151255B886</VmId>
+#    </VmlEventLog>
+#  </UserData>
+#</Event>
diff --git a/evtx/Maps/Microsoft-Windows-NetworkProfile_Operational_10000.map b/evtx/Maps/Microsoft-Windows-NetworkProfile_Operational_10000.map
index e7031668..3ed8457e 100644
--- a/evtx/Maps/Microsoft-Windows-NetworkProfile_Operational_10000.map
+++ b/evtx/Maps/Microsoft-Windows-NetworkProfile_Operational_10000.map
@@ -2,6 +2,7 @@ Author: Mike Brewer michealb40@gmail.com
 Description: Connect to the Internet
 EventId: 10000
 Channel: "Microsoft-Windows-NetworkProfile/Operational"
+Provider: Microsoft-Windows-NetworkProfile
 Maps: 
   - 
     Property: PayloadData1
diff --git a/evtx/Maps/Microsoft-Windows-NetworkProfile_Operational_10001.map b/evtx/Maps/Microsoft-Windows-NetworkProfile_Operational_10001.map
index 67498451..fc634cbb 100644
--- a/evtx/Maps/Microsoft-Windows-NetworkProfile_Operational_10001.map
+++ b/evtx/Maps/Microsoft-Windows-NetworkProfile_Operational_10001.map
@@ -2,6 +2,7 @@ Author: Mike Brewer michealb40@gmail.com
 Description: Disconnect from the Internet
 EventId: 10001
 Channel: "Microsoft-Windows-NetworkProfile/Operational"
+Provider: Microsoft-Windows-NetworkProfile
 Maps: 
   - 
     Property: PayloadData1
diff --git a/evtx/Maps/Microsoft-Windows-Partition-Diagnostic_1006.map b/evtx/Maps/Microsoft-Windows-Partition-Diagnostic_1006.map
index d6b573e7..f7900607 100644
--- a/evtx/Maps/Microsoft-Windows-Partition-Diagnostic_1006.map
+++ b/evtx/Maps/Microsoft-Windows-Partition-Diagnostic_1006.map
@@ -1,7 +1,8 @@
 Author: Mark Hallman mark.hallman@gmail.com, Hyun Yi @hyuunnn, Andrew Rathbun
-Description: USB Insertion/Removal - EventId 1006
+Description: USB Insertion/Removal
 EventId: 1006
 Channel: "Microsoft-Windows-Partition/Diagnostic"
+Provider: Microsoft-Windows-Partition
 Maps:
   -
     Property: PayloadData1
diff --git a/evtx/Maps/Microsoft-Windows-PowerShell_Operational_4104.map b/evtx/Maps/Microsoft-Windows-PowerShell_Operational_4104.map
index 974cdb8c..7d5ef520 100644
--- a/evtx/Maps/Microsoft-Windows-PowerShell_Operational_4104.map
+++ b/evtx/Maps/Microsoft-Windows-PowerShell_Operational_4104.map
@@ -2,6 +2,7 @@ Author: Mark Hallman mark.hallman@gmail.com
 Description: Contains contents of scripts run
 EventId: 4104
 Channel: "Microsoft-Windows-PowerShell/Operational"
+Provider: Microsoft-Windows-PowerShell
 Maps: 
   - 
     Property: PayloadData1
diff --git a/evtx/Maps/Microsoft-Windows-PrintService_Operational_307.map b/evtx/Maps/Microsoft-Windows-PrintService_Operational_307.map
index d91b5e7a..a59f07bf 100644
--- a/evtx/Maps/Microsoft-Windows-PrintService_Operational_307.map
+++ b/evtx/Maps/Microsoft-Windows-PrintService_Operational_307.map
@@ -2,6 +2,7 @@ Author: Barrie Hill barrie0482@gmail.com
 Description: Printing a document
 EventId: 307
 Channel: "Microsoft-Windows-PrintService/Operational"
+Provider: Microsoft-Windows-PrintService
 Maps: 
   - 
     Property: PayloadData1
diff --git a/evtx/Maps/Microsoft-Windows-RemoteDesktopServices-RdpCoreTS_Operational_131.map b/evtx/Maps/Microsoft-Windows-RemoteDesktopServices-RdpCoreTS_Operational_131.map
index 9a9f5a7e..459499c4 100644
--- a/evtx/Maps/Microsoft-Windows-RemoteDesktopServices-RdpCoreTS_Operational_131.map
+++ b/evtx/Maps/Microsoft-Windows-RemoteDesktopServices-RdpCoreTS_Operational_131.map
@@ -2,6 +2,7 @@ Author: Eric Zimmerman saericzimmerman@gmail.com
 Description: RDP server accepted a new TCP connection
 EventId: 131
 Channel: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational
+Provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
 Maps: 
   - 
     Property: RemoteHost
diff --git a/evtx/Maps/Microsoft-Windows-RemoteDesktopServices-RdpCoreTS_Operational_140.map b/evtx/Maps/Microsoft-Windows-RemoteDesktopServices-RdpCoreTS_Operational_140.map
index 4cbe1303..b5fab751 100644
--- a/evtx/Maps/Microsoft-Windows-RemoteDesktopServices-RdpCoreTS_Operational_140.map
+++ b/evtx/Maps/Microsoft-Windows-RemoteDesktopServices-RdpCoreTS_Operational_140.map
@@ -2,6 +2,7 @@ Author: Eric Zimmerman saericzimmerman@gmail.com
 Description: RDP connection from the client computer failed
 EventId: 140
 Channel: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational
+Provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
 Maps: 
   - 
     Property: RemoteHost
diff --git a/evtx/Maps/Microsoft-Windows-RemoteDesktopServices-RdpCoreTS_Operational_98.map b/evtx/Maps/Microsoft-Windows-RemoteDesktopServices-RdpCoreTS_Operational_98.map
index 26ec014e..5a2c036d 100644
--- a/evtx/Maps/Microsoft-Windows-RemoteDesktopServices-RdpCoreTS_Operational_98.map
+++ b/evtx/Maps/Microsoft-Windows-RemoteDesktopServices-RdpCoreTS_Operational_98.map
@@ -2,6 +2,7 @@ Author: Mark Hallman mark.hallman@gmail.com
 Description: Successful RDP Connections
 EventId: 98
 Channel: "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational"
+Provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
 Maps: 
   - 
     Property: PayloadData1
diff --git a/evtx/Maps/Microsoft-Windows-Shell-Core_Operational_9701.map b/evtx/Maps/Microsoft-Windows-Shell-Core_Operational_9701.map
index 9c7272eb..505cacd7 100644
--- a/evtx/Maps/Microsoft-Windows-Shell-Core_Operational_9701.map
+++ b/evtx/Maps/Microsoft-Windows-Shell-Core_Operational_9701.map
@@ -2,6 +2,7 @@ Author: Troy Larson
 Description: RunOnceEx commands started
 EventId: 9701
 Channel: Microsoft-Windows-Shell-Core/Operational
+Provider: Microsoft-Windows-Shell-Core
 Maps: 
   - 
     Property: PayloadData1
diff --git a/evtx/Maps/Microsoft-Windows-Shell-Core_Operational_9702.map b/evtx/Maps/Microsoft-Windows-Shell-Core_Operational_9702.map
index 1dac5c83..505e075c 100644
--- a/evtx/Maps/Microsoft-Windows-Shell-Core_Operational_9702.map
+++ b/evtx/Maps/Microsoft-Windows-Shell-Core_Operational_9702.map
@@ -2,6 +2,7 @@ Author: Troy Larson
 Description: RunOnceEx commands finished
 EventId: 9702
 Channel: Microsoft-Windows-Shell-Core/Operational
+Provider: Microsoft-Windows-Shell-Core
 Maps: 
   - 
     Property: PayloadData1
diff --git a/evtx/Maps/Microsoft-Windows-Shell-Core_Operational_9703.map b/evtx/Maps/Microsoft-Windows-Shell-Core_Operational_9703.map
index 8b4c90da..2a4f760d 100644
--- a/evtx/Maps/Microsoft-Windows-Shell-Core_Operational_9703.map
+++ b/evtx/Maps/Microsoft-Windows-Shell-Core_Operational_9703.map
@@ -2,6 +2,7 @@ Author: Troy Larson
 Description: RunOnce commands started
 EventId: 9703
 Channel: Microsoft-Windows-Shell-Core/Operational
+Provider: Microsoft-Windows-Shell-Core
 Maps: 
   - 
     Property: PayloadData1
diff --git a/evtx/Maps/Microsoft-Windows-Shell-Core_Operational_9704.map b/evtx/Maps/Microsoft-Windows-Shell-Core_Operational_9704.map
index 6bc1ac2d..192200d4 100644
--- a/evtx/Maps/Microsoft-Windows-Shell-Core_Operational_9704.map
+++ b/evtx/Maps/Microsoft-Windows-Shell-Core_Operational_9704.map
@@ -2,6 +2,7 @@ Author: Troy Larson
 Description: RunOnce commands finished
 EventId: 9704
 Channel: Microsoft-Windows-Shell-Core/Operational
+Provider: Microsoft-Windows-Shell-Core
 Maps: 
   - 
     Property: PayloadData1
diff --git a/evtx/Maps/Microsoft-Windows-Shell-Core_Operational_9705.map b/evtx/Maps/Microsoft-Windows-Shell-Core_Operational_9705.map
index b97151bf..fe7516d6 100644
--- a/evtx/Maps/Microsoft-Windows-Shell-Core_Operational_9705.map
+++ b/evtx/Maps/Microsoft-Windows-Shell-Core_Operational_9705.map
@@ -2,6 +2,7 @@ Author: Troy Larson
 Description: Started enumeration of commands for registry key
 EventId: 9705
 Channel: Microsoft-Windows-Shell-Core/Operational
+Provider: Microsoft-Windows-Shell-Core
 Maps: 
   - 
     Property: PayloadData1
diff --git a/evtx/Maps/Microsoft-Windows-Shell-Core_Operational_9706.map b/evtx/Maps/Microsoft-Windows-Shell-Core_Operational_9706.map
index 979fad1d..8150e470 100644
--- a/evtx/Maps/Microsoft-Windows-Shell-Core_Operational_9706.map
+++ b/evtx/Maps/Microsoft-Windows-Shell-Core_Operational_9706.map
@@ -2,6 +2,7 @@ Author: Troy Larson
 Description: Finished enumeration of commands for registry key
 EventId: 9706
 Channel: Microsoft-Windows-Shell-Core/Operational
+Provider: Microsoft-Windows-Shell-Core
 Maps: 
   - 
     Property: PayloadData1
diff --git a/evtx/Maps/Microsoft-Windows-Shell-Core_Operational_9707.map b/evtx/Maps/Microsoft-Windows-Shell-Core_Operational_9707.map
index 6fc32429..a7d8caf6 100644
--- a/evtx/Maps/Microsoft-Windows-Shell-Core_Operational_9707.map
+++ b/evtx/Maps/Microsoft-Windows-Shell-Core_Operational_9707.map
@@ -2,6 +2,7 @@ Author: Troy Larson
 Description: Started execution of command
 EventId: 9707
 Channel: Microsoft-Windows-Shell-Core/Operational
+Provider: Microsoft-Windows-Shell-Core
 Maps: 
   - 
     Property: ExecutableInfo
diff --git a/evtx/Maps/Microsoft-Windows-Shell-Core_Operational_9708.map b/evtx/Maps/Microsoft-Windows-Shell-Core_Operational_9708.map
index 5eea1394..31a64ec9 100644
--- a/evtx/Maps/Microsoft-Windows-Shell-Core_Operational_9708.map
+++ b/evtx/Maps/Microsoft-Windows-Shell-Core_Operational_9708.map
@@ -2,6 +2,7 @@ Author: Troy Larson
 Description: Finished execution of command
 EventId: 9708
 Channel: Microsoft-Windows-Shell-Core/Operational
+Provider: Microsoft-Windows-Shell-Core
 Maps: 
   - 
     Property: ExecutableInfo
diff --git a/evtx/Maps/Microsoft-Windows-Shell-Core_Operational_9709.map b/evtx/Maps/Microsoft-Windows-Shell-Core_Operational_9709.map
index 91082660..6f43b77e 100644
--- a/evtx/Maps/Microsoft-Windows-Shell-Core_Operational_9709.map
+++ b/evtx/Maps/Microsoft-Windows-Shell-Core_Operational_9709.map
@@ -2,6 +2,7 @@ Author: Troy Larson
 Description: Executing From RunKey As Job
 EventId: 9709
 Channel: Microsoft-Windows-Shell-Core/Operational
+Provider: Microsoft-Windows-Shell-Core
 Maps: 
   - 
     Property: ExecutableInfo
diff --git a/evtx/Maps/Microsoft-Windows-Shell-Core_Operational_9710.map b/evtx/Maps/Microsoft-Windows-Shell-Core_Operational_9710.map
index 7a41d503..3e679fd2 100644
--- a/evtx/Maps/Microsoft-Windows-Shell-Core_Operational_9710.map
+++ b/evtx/Maps/Microsoft-Windows-Shell-Core_Operational_9710.map
@@ -2,6 +2,7 @@ Author: Troy Larson
 Description: Finished Executing From RunKey As Job
 EventId: 9710
 Channel: Microsoft-Windows-Shell-Core/Operational
+Provider: Microsoft-Windows-Shell-Core
 Maps: 
   - 
     Property: ExecutableInfo
diff --git a/evtx/Maps/Microsoft-Windows-Shell-Core_Operational_9711.map b/evtx/Maps/Microsoft-Windows-Shell-Core_Operational_9711.map
index e387b148..cf65f4e2 100644
--- a/evtx/Maps/Microsoft-Windows-Shell-Core_Operational_9711.map
+++ b/evtx/Maps/Microsoft-Windows-Shell-Core_Operational_9711.map
@@ -2,6 +2,7 @@ Author: Troy Larson
 Description: Executing from startup menu
 EventId: 9711
 Channel: Microsoft-Windows-Shell-Core/Operational
+Provider: Microsoft-Windows-Shell-Core
 Maps: 
   - 
     Property: ExecutableInfo
diff --git a/evtx/Maps/Microsoft-Windows-Shell-Core_Operational_9712.map b/evtx/Maps/Microsoft-Windows-Shell-Core_Operational_9712.map
index e5ecfc06..140c5567 100644
--- a/evtx/Maps/Microsoft-Windows-Shell-Core_Operational_9712.map
+++ b/evtx/Maps/Microsoft-Windows-Shell-Core_Operational_9712.map
@@ -2,6 +2,7 @@ Author: Troy Larson
 Description: Finished executing from startup menu
 EventId: 9712
 Channel: Microsoft-Windows-Shell-Core/Operational
+Provider: Microsoft-Windows-Shell-Core
 Maps: 
   - 
     Property: ExecutableInfo
diff --git a/evtx/Maps/Microsoft-Windows-TaskScheduler_Operational_100.map b/evtx/Maps/Microsoft-Windows-TaskScheduler_Operational_100.map
index 0f39640e..54b1bb74 100644
--- a/evtx/Maps/Microsoft-Windows-TaskScheduler_Operational_100.map
+++ b/evtx/Maps/Microsoft-Windows-TaskScheduler_Operational_100.map
@@ -2,6 +2,7 @@ Author: Eric Zimmerman saericzimmerman@gmail.com
 Description: Scheduled Task started
 EventId: 100
 Channel: "Microsoft-Windows-TaskScheduler/Operational"
+Provider: Microsoft-Windows-TaskScheduler
 Maps: 
   - 
     Property: PayloadData1
diff --git a/evtx/Maps/Microsoft-Windows-TaskScheduler_Operational_102.map b/evtx/Maps/Microsoft-Windows-TaskScheduler_Operational_102.map
index ace23679..bdec773d 100644
--- a/evtx/Maps/Microsoft-Windows-TaskScheduler_Operational_102.map
+++ b/evtx/Maps/Microsoft-Windows-TaskScheduler_Operational_102.map
@@ -2,6 +2,7 @@ Author: Eric Zimmerman saericzimmerman@gmail.com
 Description: Scheduled Task completed
 EventId: 102
 Channel: "Microsoft-Windows-TaskScheduler/Operational"
+Provider: Microsoft-Windows-TaskScheduler
 Maps: 
   - 
     Property: PayloadData1
diff --git a/evtx/Maps/Microsoft-Windows-TaskScheduler_Operational_106.map b/evtx/Maps/Microsoft-Windows-TaskScheduler_Operational_106.map
index c6eb8672..36765b89 100644
--- a/evtx/Maps/Microsoft-Windows-TaskScheduler_Operational_106.map
+++ b/evtx/Maps/Microsoft-Windows-TaskScheduler_Operational_106.map
@@ -2,6 +2,7 @@ Author: Eric Zimmerman saericzimmerman@gmail.com
 Description: Scheduled task created
 EventId: 106
 Channel: "Microsoft-Windows-TaskScheduler/Operational"
+Provider: Microsoft-Windows-TaskScheduler
 Maps: 
   - 
     Property: PayloadData1
diff --git a/evtx/Maps/Microsoft-Windows-TaskScheduler_Operational_119.map b/evtx/Maps/Microsoft-Windows-TaskScheduler_Operational_119.map
index fe66d4ef..7b029509 100644
--- a/evtx/Maps/Microsoft-Windows-TaskScheduler_Operational_119.map
+++ b/evtx/Maps/Microsoft-Windows-TaskScheduler_Operational_119.map
@@ -2,6 +2,7 @@ Author: Eric Zimmerman saericzimmerman@gmail.com
 Description: Scheduled Task triggered on logon
 EventId: 119
 Channel: "Microsoft-Windows-TaskScheduler/Operational"
+Provider: Microsoft-Windows-TaskScheduler
 Maps: 
   - 
     Property: PayloadData1
diff --git a/evtx/Maps/Microsoft-Windows-TaskScheduler_Operational_140.map b/evtx/Maps/Microsoft-Windows-TaskScheduler_Operational_140.map
index dc465717..d64612cc 100644
--- a/evtx/Maps/Microsoft-Windows-TaskScheduler_Operational_140.map
+++ b/evtx/Maps/Microsoft-Windows-TaskScheduler_Operational_140.map
@@ -2,6 +2,7 @@ Author: Eric Zimmerman saericzimmerman@gmail.com
 Description: Scheduled Task updated
 EventId: 140
 Channel: "Microsoft-Windows-TaskScheduler/Operational"
+Provider: Microsoft-Windows-TaskScheduler
 Maps: 
   - 
     Property: PayloadData1
diff --git a/evtx/Maps/Microsoft-Windows-TaskScheduler_Operational_141.map b/evtx/Maps/Microsoft-Windows-TaskScheduler_Operational_141.map
index fa76c738..e408956d 100644
--- a/evtx/Maps/Microsoft-Windows-TaskScheduler_Operational_141.map
+++ b/evtx/Maps/Microsoft-Windows-TaskScheduler_Operational_141.map
@@ -2,6 +2,7 @@ Author: Eric Zimmerman saericzimmerman@gmail.com
 Description: Scheduled task deleted
 EventId: 141
 Channel: "Microsoft-Windows-TaskScheduler/Operational"
+Provider: Microsoft-Windows-TaskScheduler
 Maps: 
   - 
     Property: PayloadData1
diff --git a/evtx/Maps/Microsoft-Windows-TaskScheduler_Operational_200.map b/evtx/Maps/Microsoft-Windows-TaskScheduler_Operational_200.map
index 1456dfe6..ebace374 100644
--- a/evtx/Maps/Microsoft-Windows-TaskScheduler_Operational_200.map
+++ b/evtx/Maps/Microsoft-Windows-TaskScheduler_Operational_200.map
@@ -2,6 +2,7 @@ Author: Eric Zimmerman saericzimmerman@gmail.com
 Description: Scheduled Task executed
 EventId: 200
 Channel: "Microsoft-Windows-TaskScheduler/Operational"
+Provider: Microsoft-Windows-TaskScheduler
 Maps: 
   - 
     Property: PayloadData1
diff --git a/evtx/Maps/Microsoft-Windows-TaskScheduler_Operational_201.map b/evtx/Maps/Microsoft-Windows-TaskScheduler_Operational_201.map
index cd2bba34..88fc2d2c 100644
--- a/evtx/Maps/Microsoft-Windows-TaskScheduler_Operational_201.map
+++ b/evtx/Maps/Microsoft-Windows-TaskScheduler_Operational_201.map
@@ -2,6 +2,7 @@ Author: Eric Zimmerman saericzimmerman@gmail.com
 Description: Scheduled Task completed
 EventId: 201
 Channel: "Microsoft-Windows-TaskScheduler/Operational"
+Provider: Microsoft-Windows-TaskScheduler
 Maps: 
   - 
     Property: PayloadData1
diff --git a/evtx/Maps/Microsoft-Windows-TerminalServices-LocalSessionManager_Operational_21.map b/evtx/Maps/Microsoft-Windows-TerminalServices-LocalSessionManager_Operational_21.map
index d4af2fd0..c6f0c319 100644
--- a/evtx/Maps/Microsoft-Windows-TerminalServices-LocalSessionManager_Operational_21.map
+++ b/evtx/Maps/Microsoft-Windows-TerminalServices-LocalSessionManager_Operational_21.map
@@ -2,6 +2,7 @@ Author: Eric Zimmerman saericzimmerman@gmail.com
 Description: "Remote Desktop Services: Session logon succeeded"
 EventId: 21
 Channel: Microsoft-Windows-TerminalServices-LocalSessionManager/Operational
+Provider: Microsoft-Windows-TerminalServices-LocalSessionManager
 Maps: 
   - 
     Property: UserName
diff --git a/evtx/Maps/Microsoft-Windows-TerminalServices-LocalSessionManager_Operational_22.map b/evtx/Maps/Microsoft-Windows-TerminalServices-LocalSessionManager_Operational_22.map
index dabb46ee..62ae934a 100644
--- a/evtx/Maps/Microsoft-Windows-TerminalServices-LocalSessionManager_Operational_22.map
+++ b/evtx/Maps/Microsoft-Windows-TerminalServices-LocalSessionManager_Operational_22.map
@@ -2,6 +2,7 @@ Author: Eric Zimmerman saericzimmerman@gmail.com
 Description: "Remote Desktop Services: Shell start notification received"
 EventId: 22
 Channel: Microsoft-Windows-TerminalServices-LocalSessionManager/Operational
+Provider: Microsoft-Windows-TerminalServices-LocalSessionManager
 Maps: 
   - 
     Property: UserName
diff --git a/evtx/Maps/Microsoft-Windows-TerminalServices-LocalSessionManager_Operational_23.map b/evtx/Maps/Microsoft-Windows-TerminalServices-LocalSessionManager_Operational_23.map
index a7dceeaa..67045a98 100644
--- a/evtx/Maps/Microsoft-Windows-TerminalServices-LocalSessionManager_Operational_23.map
+++ b/evtx/Maps/Microsoft-Windows-TerminalServices-LocalSessionManager_Operational_23.map
@@ -2,6 +2,7 @@ Author: Eric Zimmerman saericzimmerman@gmail.com
 Description: "Remote Desktop Services: Session logoff succeeded"
 EventId: 23
 Channel: Microsoft-Windows-TerminalServices-LocalSessionManager/Operational
+Provider: Microsoft-Windows-TerminalServices-LocalSessionManager
 Maps: 
   - 
     Property: UserName
diff --git a/evtx/Maps/Microsoft-Windows-TerminalServices-LocalSessionManager_Operational_24.map b/evtx/Maps/Microsoft-Windows-TerminalServices-LocalSessionManager_Operational_24.map
index 03fb5afd..19001b56 100644
--- a/evtx/Maps/Microsoft-Windows-TerminalServices-LocalSessionManager_Operational_24.map
+++ b/evtx/Maps/Microsoft-Windows-TerminalServices-LocalSessionManager_Operational_24.map
@@ -2,6 +2,7 @@ Author: Eric Zimmerman saericzimmerman@gmail.com
 Description: "Remote Desktop Services: Session has been disconnected"
 EventId: 24
 Channel: Microsoft-Windows-TerminalServices-LocalSessionManager/Operational
+Provider: Microsoft-Windows-TerminalServices-LocalSessionManager
 Maps: 
   - 
     Property: UserName
diff --git a/evtx/Maps/Microsoft-Windows-TerminalServices-LocalSessionManager_Operational_25.map b/evtx/Maps/Microsoft-Windows-TerminalServices-LocalSessionManager_Operational_25.map
index 5af43009..7b14e9bd 100644
--- a/evtx/Maps/Microsoft-Windows-TerminalServices-LocalSessionManager_Operational_25.map
+++ b/evtx/Maps/Microsoft-Windows-TerminalServices-LocalSessionManager_Operational_25.map
@@ -2,6 +2,7 @@ Author: Eric Zimmerman saericzimmerman@gmail.com
 Description: "Remote Desktop Services: Session reconnection succeeded"
 EventId: 25
 Channel: Microsoft-Windows-TerminalServices-LocalSessionManager/Operational
+Provider: Microsoft-Windows-TerminalServices-LocalSessionManager
 Maps: 
   - 
     Property: UserName
diff --git a/evtx/Maps/Microsoft-Windows-TerminalServices-LocalSessionManager_Operational_39.map b/evtx/Maps/Microsoft-Windows-TerminalServices-LocalSessionManager_Operational_39.map
index 51625ac6..8be44d9c 100644
--- a/evtx/Maps/Microsoft-Windows-TerminalServices-LocalSessionManager_Operational_39.map
+++ b/evtx/Maps/Microsoft-Windows-TerminalServices-LocalSessionManager_Operational_39.map
@@ -2,6 +2,7 @@ Author: Troy Larson
 Description: Session (Payload 1) has been disconnected by session (Payload 2)
 EventId: 39
 Channel: Microsoft-Windows-TerminalServices-LocalSessionManager/Operational
+Provider: Microsoft-Windows-TerminalServices-LocalSessionManager
 Maps: 
   - 
     Property: PayloadData1
diff --git a/evtx/Maps/Microsoft-Windows-TerminalServices-LocalSessionManager_Operational_40.map b/evtx/Maps/Microsoft-Windows-TerminalServices-LocalSessionManager_Operational_40.map
index 0faa1c74..97445152 100644
--- a/evtx/Maps/Microsoft-Windows-TerminalServices-LocalSessionManager_Operational_40.map
+++ b/evtx/Maps/Microsoft-Windows-TerminalServices-LocalSessionManager_Operational_40.map
@@ -2,6 +2,7 @@ Author: Troy Larson
 Description: Session (Payload 1) has been disconnected, reason code (Payload 2)
 EventId: 40
 Channel: Microsoft-Windows-TerminalServices-LocalSessionManager/Operational
+Provider: Microsoft-Windows-TerminalServices-LocalSessionManager
 Maps: 
   - 
     Property: PayloadData1
diff --git a/evtx/Maps/Microsoft-Windows-TerminalServices-RDPClient_Operational_1024.map b/evtx/Maps/Microsoft-Windows-TerminalServices-RDPClient_Operational_1024.map
index 86093bc5..cecb7278 100644
--- a/evtx/Maps/Microsoft-Windows-TerminalServices-RDPClient_Operational_1024.map
+++ b/evtx/Maps/Microsoft-Windows-TerminalServices-RDPClient_Operational_1024.map
@@ -2,6 +2,7 @@ Author: Eric Zimmerman saericzimmerman@gmail.com
 Description: RDP Client is trying to connect to the server
 EventId: 1024
 Channel: Microsoft-Windows-TerminalServices-RDPClient/Operational
+Provider: Microsoft-Windows-TerminalServices-ClientActiveXCore
 Maps: 
   - 
     Property: PayloadData1
diff --git a/evtx/Maps/Microsoft-Windows-TerminalServices-RDPClient_Operational_1025.map b/evtx/Maps/Microsoft-Windows-TerminalServices-RDPClient_Operational_1025.map
index e68e809b..5400c428 100644
--- a/evtx/Maps/Microsoft-Windows-TerminalServices-RDPClient_Operational_1025.map
+++ b/evtx/Maps/Microsoft-Windows-TerminalServices-RDPClient_Operational_1025.map
@@ -2,6 +2,7 @@ Author: Gabriele Zambelli @gazambelli
 Description: RDP ClientActiveX has connected to the server
 EventId: 1025
 Channel: Microsoft-Windows-TerminalServices-RDPClient/Operational
+Provider: Microsoft-Windows-TerminalServices-ClientActiveXCore
 Maps: 
   - 
     Property: PayloadData6
diff --git a/evtx/Maps/Microsoft-Windows-TerminalServices-RDPClient_Operational_1026.map b/evtx/Maps/Microsoft-Windows-TerminalServices-RDPClient_Operational_1026.map
index 81a28fbf..067f455d 100644
--- a/evtx/Maps/Microsoft-Windows-TerminalServices-RDPClient_Operational_1026.map
+++ b/evtx/Maps/Microsoft-Windows-TerminalServices-RDPClient_Operational_1026.map
@@ -2,6 +2,7 @@ Author: Gabriele Zambelli @gazambelli
 Description: RDP ClientActiveX has been disconnected
 EventId: 1026
 Channel: Microsoft-Windows-TerminalServices-RDPClient/Operational
+Provider: Microsoft-Windows-TerminalServices-ClientActiveXCore
 Maps: 
   - 
     Property: PayloadData1
diff --git a/evtx/Maps/Microsoft-Windows-TerminalServices-RDPClient_Operational_1027.map b/evtx/Maps/Microsoft-Windows-TerminalServices-RDPClient_Operational_1027.map
index ba68b2eb..581d7f63 100644
--- a/evtx/Maps/Microsoft-Windows-TerminalServices-RDPClient_Operational_1027.map
+++ b/evtx/Maps/Microsoft-Windows-TerminalServices-RDPClient_Operational_1027.map
@@ -2,6 +2,7 @@ Author: Eric Zimmerman saericzimmerman@gmail.com
 Description: RDP Connected to domain
 EventId: 1027
 Channel: Microsoft-Windows-TerminalServices-RDPClient/Operational
+Provider: Microsoft-Windows-TerminalServices-ClientActiveXCore
 Maps: 
   - 
     Property: PayloadData1
diff --git a/evtx/Maps/Microsoft-Windows-TerminalServices-RDPClient_Operational_1029.map b/evtx/Maps/Microsoft-Windows-TerminalServices-RDPClient_Operational_1029.map
index e31c69f4..64ea2592 100644
--- a/evtx/Maps/Microsoft-Windows-TerminalServices-RDPClient_Operational_1029.map
+++ b/evtx/Maps/Microsoft-Windows-TerminalServices-RDPClient_Operational_1029.map
@@ -2,6 +2,7 @@ Author: Gabriele Zambelli @gazambelli
 Description: "RDP (outgoing connection)"
 EventId: 1029
 Channel: Microsoft-Windows-TerminalServices-RDPClient/Operational
+Provider: Microsoft-Windows-TerminalServices-ClientActiveXCore
 Maps: 
   - 
     Property: PayloadData1
diff --git a/evtx/Maps/Microsoft-Windows-TerminalServices-RDPClient_Operational_1102.map b/evtx/Maps/Microsoft-Windows-TerminalServices-RDPClient_Operational_1102.map
index e1d581f9..1d42e153 100644
--- a/evtx/Maps/Microsoft-Windows-TerminalServices-RDPClient_Operational_1102.map
+++ b/evtx/Maps/Microsoft-Windows-TerminalServices-RDPClient_Operational_1102.map
@@ -2,6 +2,7 @@ Author: Eric Zimmerman saericzimmerman@gmail.com
 Description: RDP client has initiated a multi-transport connection to the server
 EventId: 1102
 Channel: Microsoft-Windows-TerminalServices-RDPClient/Operational
+Provider: Microsoft-Windows-TerminalServices-ClientActiveXCore
 Maps: 
   - 
     Property: PayloadData1
diff --git a/evtx/Maps/Microsoft-Windows-TerminalServices-RDPClient_Operational_1103.map b/evtx/Maps/Microsoft-Windows-TerminalServices-RDPClient_Operational_1103.map
index 0434da99..c60534cd 100644
--- a/evtx/Maps/Microsoft-Windows-TerminalServices-RDPClient_Operational_1103.map
+++ b/evtx/Maps/Microsoft-Windows-TerminalServices-RDPClient_Operational_1103.map
@@ -2,6 +2,7 @@ Author: Gabriele Zambelli @gazambelli
 Description: The RDP client has established a multi-transport connection to the server
 EventId: 1103
 Channel: Microsoft-Windows-TerminalServices-RDPClient/Operational
+Provider: Microsoft-Windows-TerminalServices-ClientActiveXCore
 Maps: 
   - 
     Property: PayloadData6
diff --git a/evtx/Maps/Microsoft-Windows-TerminalServices-RemoteConnectionManager_Operational_1149.map b/evtx/Maps/Microsoft-Windows-TerminalServices-RemoteConnectionManager_Operational_1149.map
index 21a4f2fd..10f1a8cc 100644
--- a/evtx/Maps/Microsoft-Windows-TerminalServices-RemoteConnectionManager_Operational_1149.map
+++ b/evtx/Maps/Microsoft-Windows-TerminalServices-RemoteConnectionManager_Operational_1149.map
@@ -2,6 +2,7 @@ Author: Eric Zimmerman saericzimmerman@gmail.com
 Description: RDP network connection established
 EventId: 1149
 Channel: Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational
+Provider: Microsoft-Windows-TerminalServices-RemoteConnectionManager
 Maps: 
   - 
     Property: Username
diff --git a/evtx/Maps/Microsoft-Windows-TerminalServices-RemoteConnectionManager_Operational_261.map b/evtx/Maps/Microsoft-Windows-TerminalServices-RemoteConnectionManager_Operational_261.map
index 3130b452..9e616eb4 100644
--- a/evtx/Maps/Microsoft-Windows-TerminalServices-RemoteConnectionManager_Operational_261.map
+++ b/evtx/Maps/Microsoft-Windows-TerminalServices-RemoteConnectionManager_Operational_261.map
@@ -2,6 +2,7 @@ Author: Eric Zimmerman saericzimmerman@gmail.com
 Description: RDP Listener received a connection
 EventId: 261
 Channel: Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational
+Provider: Microsoft-Windows-TerminalServices-RemoteConnectionManager
 Maps: 
   - 
     Property: PayloadData1
diff --git a/evtx/Maps/Microsoft-Windows-VHDMP-Operational_2.map b/evtx/Maps/Microsoft-Windows-VHDMP-Operational_2.map
index 7ab25745..fe1b868d 100644
--- a/evtx/Maps/Microsoft-Windows-VHDMP-Operational_2.map
+++ b/evtx/Maps/Microsoft-Windows-VHDMP-Operational_2.map
@@ -2,6 +2,7 @@ Author: Phill Moore
 Description: A VHD has been removed
 EventId: 2
 Channel: "Microsoft-Windows-VHDMP/Operational"
+Provider: Microsoft-Windows-VHDMP
 Maps:
   - 
     Property: PayloadData1
diff --git a/evtx/Maps/Microsoft-Windows-WLAN-AutoConfig_Operational_8000.map b/evtx/Maps/Microsoft-Windows-WLAN-AutoConfig_Operational_8000.map
index ca94aabd..1a866f31 100644
--- a/evtx/Maps/Microsoft-Windows-WLAN-AutoConfig_Operational_8000.map
+++ b/evtx/Maps/Microsoft-Windows-WLAN-AutoConfig_Operational_8000.map
@@ -2,6 +2,7 @@ Author: Hyun Yi @hyuunnn
 Description: WIFI connection was attempted.
 EventId: 8000
 Channel: "Microsoft-Windows-WLAN-AutoConfig/Operational"
+Provider: Microsoft-Windows-WLAN-AutoConfig
 Maps:
   -
     Property: PayloadData1
diff --git a/evtx/Maps/Microsoft-Windows-WLAN-AutoConfig_Operational_8001.map b/evtx/Maps/Microsoft-Windows-WLAN-AutoConfig_Operational_8001.map
index aec05168..4eb09478 100644
--- a/evtx/Maps/Microsoft-Windows-WLAN-AutoConfig_Operational_8001.map
+++ b/evtx/Maps/Microsoft-Windows-WLAN-AutoConfig_Operational_8001.map
@@ -2,6 +2,7 @@ Author: Hyun Yi @hyuunnn
 Description: WIFI connection was successful.
 EventId: 8001
 Channel: "Microsoft-Windows-WLAN-AutoConfig/Operational"
+Provider: Microsoft-Windows-WLAN-AutoConfig
 Maps:
   -
     Property: PayloadData1
diff --git a/evtx/Maps/Microsoft-Windows-WLAN-AutoConfig_Operational_8002.map b/evtx/Maps/Microsoft-Windows-WLAN-AutoConfig_Operational_8002.map
index 17f0e031..8c98a5a5 100644
--- a/evtx/Maps/Microsoft-Windows-WLAN-AutoConfig_Operational_8002.map
+++ b/evtx/Maps/Microsoft-Windows-WLAN-AutoConfig_Operational_8002.map
@@ -2,6 +2,7 @@ Author: Hyun Yi @hyuunnn
 Description: WIFI connection was failed.
 EventId: 8002
 Channel: "Microsoft-Windows-WLAN-AutoConfig/Operational"
+Provider: Microsoft-Windows-WLAN-AutoConfig
 Maps:
   -
     Property: PayloadData1
diff --git a/evtx/Maps/Microsoft-Windows-WLAN-AutoConfig_Operational_8003.map b/evtx/Maps/Microsoft-Windows-WLAN-AutoConfig_Operational_8003.map
index a8a6b8fb..e065a241 100644
--- a/evtx/Maps/Microsoft-Windows-WLAN-AutoConfig_Operational_8003.map
+++ b/evtx/Maps/Microsoft-Windows-WLAN-AutoConfig_Operational_8003.map
@@ -2,6 +2,7 @@ Author: Hyun Yi @hyuunnn
 Description: WIFI connection was terminated.
 EventId: 8003
 Channel: "Microsoft-Windows-WLAN-AutoConfig/Operational"
+Provider: Microsoft-Windows-WLAN-AutoConfig
 Maps:
   -
     Property: PayloadData1
diff --git a/evtx/Maps/Microsoft-Windows-WMI-Activity_Operational_5857.map b/evtx/Maps/Microsoft-Windows-WMI-Activity_Operational_5857.map
index 7b5d1b0d..4745b66b 100644
--- a/evtx/Maps/Microsoft-Windows-WMI-Activity_Operational_5857.map
+++ b/evtx/Maps/Microsoft-Windows-WMI-Activity_Operational_5857.map
@@ -2,6 +2,7 @@ Author: Eric Zimmerman saericzimmerman@gmail.com
 Description: WMI wmiprvse execution
 EventId: 5857
 Channel: Microsoft-Windows-WMI-Activity/Operational
+Provider: Microsoft-Windows-WMI-Activity
 Maps: 
   - 
     Property: PayloadData1
diff --git a/evtx/Maps/Microsoft-Windows-WMI-Activity_Operational_5860.map b/evtx/Maps/Microsoft-Windows-WMI-Activity_Operational_5860.map
index f85eb852..b37a254e 100644
--- a/evtx/Maps/Microsoft-Windows-WMI-Activity_Operational_5860.map
+++ b/evtx/Maps/Microsoft-Windows-WMI-Activity_Operational_5860.map
@@ -2,6 +2,7 @@ Author: Eric Zimmerman saericzimmerman@gmail.com
 Description: "Remote Desktop Services: Session logoff succeeded"
 EventId: 5860
 Channel: WMI Registration of Temporary Event Consumer
+Provider: Microsoft-Windows-WMI-Activity
 Maps: 
   - 
     Property: PayloadData1
diff --git a/evtx/Maps/Microsoft-Windows-WMI-Activity_Operational_5861.map b/evtx/Maps/Microsoft-Windows-WMI-Activity_Operational_5861.map
index e4c51904..3d1d1c57 100644
--- a/evtx/Maps/Microsoft-Windows-WMI-Activity_Operational_5861.map
+++ b/evtx/Maps/Microsoft-Windows-WMI-Activity_Operational_5861.map
@@ -2,6 +2,7 @@ Author: Eric Zimmerman saericzimmerman@gmail.com
 Description: WMI Registration of Permanent Event Consumer
 EventId: 5861
 Channel: Microsoft-Windows-WMI-Activity/Operational
+Provider: Microsoft-Windows-WMI-Activity
 Maps: 
   - 
     Property: PayloadData1
diff --git a/evtx/Maps/Microsoft-Windows-WinRM_169.map b/evtx/Maps/Microsoft-Windows-WinRM_169.map
index 812bfaea..e074b2b0 100644
--- a/evtx/Maps/Microsoft-Windows-WinRM_169.map
+++ b/evtx/Maps/Microsoft-Windows-WinRM_169.map
@@ -2,6 +2,7 @@ Author: Mike Pilkington
 Description: WinRM Authentication
 EventId: 169
 Channel: "Microsoft-Windows-WinRM/Operational"
+Provider: Microsoft-Windows-WinRM
 Maps:
   - 
     Property: Username
@@ -28,4 +29,4 @@ Maps:
 #  <EventData>
 #    <Data Name="username">iewin7\ieuser</Data>
 #    <Data Name="authenticationMechanism">NTLM</Data>
-#  </EventData>
\ No newline at end of file
+#  </EventData>
diff --git a/evtx/Maps/Microsoft-Windows-Windows_Firewall_With_Advanced_Security_2004.map b/evtx/Maps/Microsoft-Windows-Windows_Firewall_With_Advanced_Security_2004.map
index 2c9c29d6..d8236521 100644
--- a/evtx/Maps/Microsoft-Windows-Windows_Firewall_With_Advanced_Security_2004.map
+++ b/evtx/Maps/Microsoft-Windows-Windows_Firewall_With_Advanced_Security_2004.map
@@ -2,6 +2,7 @@ Author: peter.snyder@kroll.com
 Description: FW rule added to exception list
 EventId: 2004
 Channel: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
+Provider: Microsoft-Windows-Windows Firewall With Advanced Security
 Maps: 
   - 
     Property: PayloadData1
diff --git a/evtx/Maps/OAlerts_300.map b/evtx/Maps/OAlerts_300.map
index 463635db..66b4bf24 100644
--- a/evtx/Maps/OAlerts_300.map
+++ b/evtx/Maps/OAlerts_300.map
@@ -2,6 +2,7 @@ Author: Lennaert Oudshoorn @lennaert89
 Description: OAlerts 300 event
 EventId: 300
 Channel: OAlerts
+Provider: "Microsoft Office 16 Alerts"
 Maps: 
   - 
     Property: PayloadData1
diff --git a/evtx/Maps/OpenSSH_4.map b/evtx/Maps/OpenSSH_4.map
index e0c004c3..6370a4f0 100644
--- a/evtx/Maps/OpenSSH_4.map
+++ b/evtx/Maps/OpenSSH_4.map
@@ -2,6 +2,7 @@ Author: Troy Larson
 Description: SSH activity.
 EventId: 4
 Channel: "OpenSSH/Operational"
+Provider: OpenSSH
 Maps: 
   - 
     Property: PayloadData1
diff --git a/evtx/Maps/Security_1102.map b/evtx/Maps/Security_1102.map
index d3040b4d..c0fffcc5 100644
--- a/evtx/Maps/Security_1102.map
+++ b/evtx/Maps/Security_1102.map
@@ -2,6 +2,7 @@ Author: Eric Zimmerman saericzimmerman@gmail.com
 Description: Event log cleared
 EventId: 1102
 Channel: Security
+Provider: Microsoft-Windows-Eventlog
 Maps: 
   - 
     Property: Username
diff --git a/evtx/Maps/Security_4616.map b/evtx/Maps/Security_4616.map
index 0315a9ff..f4b871e8 100644
--- a/evtx/Maps/Security_4616.map
+++ b/evtx/Maps/Security_4616.map
@@ -2,6 +2,7 @@ Author: Gabriele Zambelli @gazambelli
 Description: The system time was changed
 EventId: 4616
 Channel: "Security"
+Provider: Microsoft-Windows-Security-Auditing
 Maps: 
   - 
     Property: UserName
diff --git a/evtx/Maps/Security_4624.map b/evtx/Maps/Security_4624.map
index 4b5e4293..f597c693 100644
--- a/evtx/Maps/Security_4624.map
+++ b/evtx/Maps/Security_4624.map
@@ -2,6 +2,7 @@ Author: Eric Zimmerman saericzimmerman@gmail.com
 Description: Successful logon
 EventId: 4624
 Channel: Security
+Provider: Microsoft-Windows-Security-Auditing
 Maps: 
   - 
     Property: Username
diff --git a/evtx/Maps/Security_4625.map b/evtx/Maps/Security_4625.map
index f19adac7..b5c74fd1 100644
--- a/evtx/Maps/Security_4625.map
+++ b/evtx/Maps/Security_4625.map
@@ -2,6 +2,7 @@ Author: Eric Zimmerman saericzimmerman@gmail.com
 Description: Failed logon
 EventId: 4625
 Channel: Security
+Provider: Microsoft-Windows-Security-Auditing
 Maps: 
   - 
     Property: Username
diff --git a/evtx/Maps/Security_4634.map b/evtx/Maps/Security_4634.map
index 361a4ead..b371d333 100644
--- a/evtx/Maps/Security_4634.map
+++ b/evtx/Maps/Security_4634.map
@@ -2,6 +2,7 @@ Author: Barrie Hill barrie0482@gmail.com
 Description: An account was logged off
 EventId: 4634
 Channel: Security
+Provider: Microsoft-Windows-Security-Auditing
 Maps: 
   - 
     Property: PayloadData1
diff --git a/evtx/Maps/Security_4647.map b/evtx/Maps/Security_4647.map
index 2d152b83..f244b76c 100644
--- a/evtx/Maps/Security_4647.map
+++ b/evtx/Maps/Security_4647.map
@@ -2,6 +2,7 @@ Author: Barrie Hill barrie0482@gmail.com
 Description: User initiated logoff   
 EventId: 4647
 Channel: Security
+Provider: Microsoft-Windows-Security-Auditing
 Maps: 
   - 
     Property: UserName
diff --git a/evtx/Maps/Security_4648.map b/evtx/Maps/Security_4648.map
index 4de4d377..0ab06757 100644
--- a/evtx/Maps/Security_4648.map
+++ b/evtx/Maps/Security_4648.map
@@ -2,6 +2,7 @@ Author: Eric Zimmerman saericzimmerman@gmail.com
 Description: A logon was attempted using explicit credentials
 EventId: 4648
 Channel: Security
+Provider: Microsoft-Windows-Security-Auditing
 Maps: 
   - 
     Property: Username
diff --git a/evtx/Maps/Security_4657.map b/evtx/Maps/Security_4657.map
index ca4bac9a..0b6ccdd3 100644
--- a/evtx/Maps/Security_4657.map
+++ b/evtx/Maps/Security_4657.map
@@ -2,6 +2,7 @@ Author: Troy Larson
 Description: A registry value was modified.
 EventId: 4657
 Channel: Security
+Provider: Microsoft-Windows-Security-Auditing
 Maps: 
   - 
     Property: UserName
diff --git a/evtx/Maps/Security_4661.map b/evtx/Maps/Security_4661.map
index fd907295..df48de0e 100644
--- a/evtx/Maps/Security_4661.map
+++ b/evtx/Maps/Security_4661.map
@@ -2,6 +2,7 @@ Author: Mike Pilkington
 Description: Handle requested to an object 
 EventId: 4661
 Channel: Security
+Provider: Microsoft-Windows-Security-Auditing
 Maps: 
   - 
     Property: Username
diff --git a/evtx/Maps/Security_4662.map b/evtx/Maps/Security_4662.map
index 24dd2733..da6131ce 100644
--- a/evtx/Maps/Security_4662.map
+++ b/evtx/Maps/Security_4662.map
@@ -2,6 +2,7 @@ Author: Mike Pilkington
 Description: Operation performed on an object 
 EventId: 4662
 Channel: Security
+Provider: Microsoft-Windows-Security-Auditing
 Maps: 
   - 
     Property: Username
diff --git a/evtx/Maps/Security_4663.map b/evtx/Maps/Security_4663.map
index fdf96bea..6fa6d050 100644
--- a/evtx/Maps/Security_4663.map
+++ b/evtx/Maps/Security_4663.map
@@ -2,6 +2,7 @@ Author: Mike Pilkington
 Description: Attempt was made to access an object 
 EventId: 4663
 Channel: Security
+Provider: Microsoft-Windows-Security-Auditing
 Maps: 
   - 
     Property: Username
diff --git a/evtx/Maps/Security_4672.map b/evtx/Maps/Security_4672.map
index 43fe703f..ce851d65 100644
--- a/evtx/Maps/Security_4672.map
+++ b/evtx/Maps/Security_4672.map
@@ -2,6 +2,7 @@ Author: Eric Zimmerman saericzimmerman@gmail.com
 Description: Administrative logon
 EventId: 4672
 Channel: Security
+Provider: Microsoft-Windows-Security-Auditing
 Maps: 
   - 
     Property: Username
diff --git a/evtx/Maps/Security_4688.map b/evtx/Maps/Security_4688.map
index 4b3a2170..76d76937 100644
--- a/evtx/Maps/Security_4688.map
+++ b/evtx/Maps/Security_4688.map
@@ -2,6 +2,7 @@ Author: Eric Zimmerman saericzimmerman@gmail.com
 Description: Process tracking
 EventId: 4688
 Channel: Security
+Provider: Microsoft-Windows-Security-Auditing
 Maps: 
   - 
     Property: Username
diff --git a/evtx/Maps/Security_4697.map b/evtx/Maps/Security_4697.map
index f7455aa2..80892629 100644
--- a/evtx/Maps/Security_4697.map
+++ b/evtx/Maps/Security_4697.map
@@ -2,6 +2,7 @@ Author: Mark Hallman mark.hallman@gmail.com
 Description: A service was installed on the system
 EventId: 4697
 Channel: Security
+Provider: Microsoft-Windows-Security-Auditing
 Maps: 
   - 
     Property: Username
diff --git a/evtx/Maps/Security_4698.map b/evtx/Maps/Security_4698.map
index 67b3a1bc..68ccab51 100644
--- a/evtx/Maps/Security_4698.map
+++ b/evtx/Maps/Security_4698.map
@@ -2,6 +2,7 @@ Author: Mike Pilkington
 Description: Scheduled task created
 EventId: 4698
 Channel: Security
+Provider: Microsoft-Windows-Security-Auditing
 Maps: 
   - 
     Property: Username
diff --git a/evtx/Maps/Security_4699.map b/evtx/Maps/Security_4699.map
index 9e0cb2e4..b2da4915 100644
--- a/evtx/Maps/Security_4699.map
+++ b/evtx/Maps/Security_4699.map
@@ -2,6 +2,7 @@ Author: Mike Pilkington
 Description: Scheduled task deleted
 EventId: 4699
 Channel: Security
+Provider: Microsoft-Windows-Security-Auditing
 Maps: 
   - 
     Property: Username
diff --git a/evtx/Maps/Security_4700.map b/evtx/Maps/Security_4700.map
index 045369b5..02435dc2 100644
--- a/evtx/Maps/Security_4700.map
+++ b/evtx/Maps/Security_4700.map
@@ -2,6 +2,7 @@ Author: Andrew Rathbun
 Description: A scheduled task was enabled
 EventId: 4700
 Channel: Security
+Provider: Microsoft-Windows-Security-Auditing
 Maps: 
   - 
     Property: UserName
@@ -35,3 +36,10 @@ Maps:
         Name: SubjectUserSid
         Value: "/Event/EventData/Data[@Name=\"SubjectUserSid\"]"
 
+# Valid properties include:
+# UserName
+# RemoteHost
+# ExecutableInfo --> used for things like process command line, scheduled task, info from service install, etc.
+# PayloadData1 through PayloadData6
+
+# Example payload data
diff --git a/evtx/Maps/Security_4701.map b/evtx/Maps/Security_4701.map
index 77ff38c1..a5404454 100644
--- a/evtx/Maps/Security_4701.map
+++ b/evtx/Maps/Security_4701.map
@@ -2,6 +2,7 @@ Author: Mark Hallman mark.hallman@gmail.com
 Description: A scheduled task was disabled
 EventId: 4701
 Channel: Security
+Provider: Microsoft-Windows-Security-Auditing
 Maps: 
   - 
     Property: Username
@@ -20,3 +21,11 @@ Maps:
       - 
         Name: <name>
         Value: "/Event/EventData/Data[@Name=\"<name>\"]"
+
+# Valid properties include:
+# UserName
+# RemoteHost
+# ExecutableInfo --> used for things like process command line, scheduled task, info from service install, etc.
+# PayloadData1 through PayloadData6
+
+# Example payload data
diff --git a/evtx/Maps/Security_4702.map b/evtx/Maps/Security_4702.map
index 8583acdb..8da4f43c 100644
--- a/evtx/Maps/Security_4702.map
+++ b/evtx/Maps/Security_4702.map
@@ -2,6 +2,7 @@ Author: Mike Pilkington
 Description: A scheduled task was updated
 EventId: 4702
 Channel: Security
+Provider: Microsoft-Windows-Security-Auditing
 Maps: 
   - 
     Property: Username
diff --git a/evtx/Maps/Security_4719.map b/evtx/Maps/Security_4719.map
index a40e94e8..5fe9aff5 100644
--- a/evtx/Maps/Security_4719.map
+++ b/evtx/Maps/Security_4719.map
@@ -2,6 +2,7 @@ Author: Mike Pilkington
 Description: System audit policy was changed
 EventId: 4719
 Channel: Security
+Provider: Microsoft-Windows-Security-Auditing
 Maps: 
   - 
     Property: Username
diff --git a/evtx/Maps/Security_4720.map b/evtx/Maps/Security_4720.map
index e62ff405..1565aed6 100644
--- a/evtx/Maps/Security_4720.map
+++ b/evtx/Maps/Security_4720.map
@@ -2,6 +2,7 @@ Author: Eric Zimmerman saericzimmerman@gmail.com
 Description: New user created
 EventId: 4720
 Channel: Security
+Provider: Microsoft-Windows-Security-Auditing
 Maps: 
   - 
     Property: Username
diff --git a/evtx/Maps/Security_4722.map b/evtx/Maps/Security_4722.map
index 56285902..27d6c93b 100644
--- a/evtx/Maps/Security_4722.map
+++ b/evtx/Maps/Security_4722.map
@@ -2,6 +2,7 @@ Author: Andrew Rathbun
 Description: A user account was enabled
 EventId: 4722
 Channel: Security
+Provider: Microsoft-Windows-Security-Auditing
 Maps: 
   - 
     Property: UserName
@@ -36,8 +37,7 @@ Maps:
       - 
         Name: SubjectLogonId
         Value: "/Event/EventData/Data[@Name=\"SubjectLogonId\"]"
-
-
+ 
 # Valid properties include:
 # UserName
 # RemoteHost
diff --git a/evtx/Maps/Security_4723.map b/evtx/Maps/Security_4723.map
index 889efb00..1ea3e1e0 100644
--- a/evtx/Maps/Security_4723.map
+++ b/evtx/Maps/Security_4723.map
@@ -2,6 +2,7 @@ Author: Andrew Rathbun
 Description: An attempt was made to change an account's password
 EventId: 4723
 Channel: Security
+Provider: Microsoft-Windows-Security-Auditing
 Maps: 
   - 
     Property: UserName
@@ -43,33 +44,35 @@ Maps:
 # RemoteHost
 # ExecutableInfo --> used for things like process command line, scheduled task, info from service install, etc.
 # PayloadData1 through PayloadData6
-
+#
+# https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4723
+#
 # Example payload data
-#   <EventData>
-#     <Data Name="TargetUserName">defaultuser1</Data>
-#     <Data Name="TargetDomainName">MICROSO-F9QCQ4I</Data>
-#     <Data Name="TargetSid">S-1-5-21-3634127885-2815721165-4177678784-1004</Data>
-#     <Data Name="SubjectUserSid">S-1-5-18</Data>
-#     <Data Name="SubjectUserName">MICROSO-F9QCQ4I$</Data>
-#     <Data Name="SubjectDomainName">TEMP</Data>
-#     <Data Name="SubjectLogonId">0x3E7</Data>
-#     <Data Name="PrivilegeList">-</Data>
-#     <Data Name="SamAccountName">defaultuser1</Data>
-#     <Data Name="DisplayName">%%1793</Data>
-#     <Data Name="UserPrincipalName">-</Data>
-#     <Data Name="HomeDirectory">%%1793</Data>
-#     <Data Name="HomePath">%%1793</Data>
-#     <Data Name="ScriptPath">%%1793</Data>
-#     <Data Name="ProfilePath">%%1793</Data>
-#     <Data Name="UserWorkstations">%%1793</Data>
-#     <Data Name="PasswordLastSet">%%1794</Data>
-#     <Data Name="AccountExpires">%%1794</Data>
-#     <Data Name="PrimaryGroupId">513</Data>
-#     <Data Name="AllowedToDelegateTo">-</Data>
-#     <Data Name="OldUacValue">0x0</Data>
-#     <Data Name="NewUacValue">0x15</Data>
-#     <Data Name="UserAccountControl">%%2080%%2082%%2084</Data>
-#     <Data Name="UserParameters">%%1793</Data>
-#     <Data Name="SidHistory">-</Data>
-#     <Data Name="LogonHours">%%1797</Data>
-#   </EventData>
\ No newline at end of file
+#- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
+#- <System>
+# <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
+# <EventID>4723</EventID> 
+# <Version>0</Version> 
+# <Level>0</Level> 
+# <Task>13824</Task> 
+# <Opcode>0</Opcode> 
+# <Keywords>0x8020000000000000</Keywords> 
+# <TimeCreated SystemTime="2015-08-22T01:32:51.494558000Z" /> 
+# <EventRecordID>175722</EventRecordID> 
+# <Correlation /> 
+# <Execution ProcessID="520" ThreadID="1112" /> 
+# <Channel>Security</Channel> 
+# <Computer>DC01.contoso.local</Computer> 
+# <Security /> 
+# </System>
+#- <EventData>
+# <Data Name="TargetUserName">dadmin</Data> 
+# <Data Name="TargetDomainName">CONTOSO</Data> 
+# <Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
+# <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
+# <Data Name="SubjectUserName">dadmin</Data> 
+# <Data Name="SubjectDomainName">CONTOSO</Data> 
+# <Data Name="SubjectLogonId">0x1a9b76</Data> 
+# <Data Name="PrivilegeList">-</Data> 
+# </EventData>
+# </Event>
diff --git a/evtx/Maps/Security_4724.map b/evtx/Maps/Security_4724.map
index 1e7ff55b..edc43607 100644
--- a/evtx/Maps/Security_4724.map
+++ b/evtx/Maps/Security_4724.map
@@ -2,6 +2,7 @@ Author: Andrew Rathbun
 Description: An attempt was made to reset an account's password
 EventId: 4724
 Channel: Security
+Provider: Microsoft-Windows-Security-Auditing
 Maps: 
   - 
     Property: UserName
@@ -43,33 +44,34 @@ Maps:
 # RemoteHost
 # ExecutableInfo --> used for things like process command line, scheduled task, info from service install, etc.
 # PayloadData1 through PayloadData6
-
+#
+# https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4724
+#
 # Example payload data
-#   <EventData>
-#     <Data Name="TargetUserName">defaultuser1</Data>
-#     <Data Name="TargetDomainName">MICROSO-F9QCQ4I</Data>
-#     <Data Name="TargetSid">S-1-5-21-3634127885-2815721165-4177678784-1004</Data>
-#     <Data Name="SubjectUserSid">S-1-5-18</Data>
-#     <Data Name="SubjectUserName">MICROSO-F9QCQ4I$</Data>
-#     <Data Name="SubjectDomainName">TEMP</Data>
-#     <Data Name="SubjectLogonId">0x3E7</Data>
-#     <Data Name="PrivilegeList">-</Data>
-#     <Data Name="SamAccountName">defaultuser1</Data>
-#     <Data Name="DisplayName">%%1793</Data>
-#     <Data Name="UserPrincipalName">-</Data>
-#     <Data Name="HomeDirectory">%%1793</Data>
-#     <Data Name="HomePath">%%1793</Data>
-#     <Data Name="ScriptPath">%%1793</Data>
-#     <Data Name="ProfilePath">%%1793</Data>
-#     <Data Name="UserWorkstations">%%1793</Data>
-#     <Data Name="PasswordLastSet">%%1794</Data>
-#     <Data Name="AccountExpires">%%1794</Data>
-#     <Data Name="PrimaryGroupId">513</Data>
-#     <Data Name="AllowedToDelegateTo">-</Data>
-#     <Data Name="OldUacValue">0x0</Data>
-#     <Data Name="NewUacValue">0x15</Data>
-#     <Data Name="UserAccountControl">%%2080%%2082%%2084</Data>
-#     <Data Name="UserParameters">%%1793</Data>
-#     <Data Name="SidHistory">-</Data>
-#     <Data Name="LogonHours">%%1797</Data>
-#   </EventData>
\ No newline at end of file
+#- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
+#- <System>
+# <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
+# <EventID>4724</EventID> 
+# <Version>0</Version> 
+# <Level>0</Level> 
+# <Task>13824</Task> 
+# <Opcode>0</Opcode> 
+# <Keywords>0x8020000000000000</Keywords> 
+# <TimeCreated SystemTime="2015-08-22T01:58:21.725864900Z" /> 
+# <EventRecordID>175740</EventRecordID> 
+# <Correlation /> 
+# <Execution ProcessID="520" ThreadID="548" /> 
+# <Channel>Security</Channel> 
+# <Computer>DC01.contoso.local</Computer> 
+# <Security /> 
+# </System>
+#- <EventData>
+# <Data Name="TargetUserName">User1</Data> 
+# <Data Name="TargetDomainName">CONTOSO</Data> 
+# <Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-1107</Data> 
+# <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
+# <Data Name="SubjectUserName">dadmin</Data> 
+# <Data Name="SubjectDomainName">CONTOSO</Data> 
+# <Data Name="SubjectLogonId">0x30d5f</Data> 
+# </EventData>
+# </Event>
diff --git a/evtx/Maps/Security_4725.map b/evtx/Maps/Security_4725.map
index 030a9b9b..a7395939 100644
--- a/evtx/Maps/Security_4725.map
+++ b/evtx/Maps/Security_4725.map
@@ -2,6 +2,7 @@ Author: Andrew Rathbun
 Description: A user account was disabled
 EventId: 4725
 Channel: Security
+Provider: Microsoft-Windows-Security-Auditing
 Maps: 
   - 
     Property: UserName
@@ -43,33 +44,34 @@ Maps:
 # RemoteHost
 # ExecutableInfo --> used for things like process command line, scheduled task, info from service install, etc.
 # PayloadData1 through PayloadData6
-
+#
+# https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4725
+#
 # Example payload data
-#   <EventData>
-#     <Data Name="TargetUserName">defaultuser1</Data>
-#     <Data Name="TargetDomainName">MICROSO-F9QCQ4I</Data>
-#     <Data Name="TargetSid">S-1-5-21-3634127885-2815721165-4177678784-1004</Data>
-#     <Data Name="SubjectUserSid">S-1-5-18</Data>
-#     <Data Name="SubjectUserName">MICROSO-F9QCQ4I$</Data>
-#     <Data Name="SubjectDomainName">TEMP</Data>
-#     <Data Name="SubjectLogonId">0x3E7</Data>
-#     <Data Name="PrivilegeList">-</Data>
-#     <Data Name="SamAccountName">defaultuser1</Data>
-#     <Data Name="DisplayName">%%1793</Data>
-#     <Data Name="UserPrincipalName">-</Data>
-#     <Data Name="HomeDirectory">%%1793</Data>
-#     <Data Name="HomePath">%%1793</Data>
-#     <Data Name="ScriptPath">%%1793</Data>
-#     <Data Name="ProfilePath">%%1793</Data>
-#     <Data Name="UserWorkstations">%%1793</Data>
-#     <Data Name="PasswordLastSet">%%1794</Data>
-#     <Data Name="AccountExpires">%%1794</Data>
-#     <Data Name="PrimaryGroupId">513</Data>
-#     <Data Name="AllowedToDelegateTo">-</Data>
-#     <Data Name="OldUacValue">0x0</Data>
-#     <Data Name="NewUacValue">0x15</Data>
-#     <Data Name="UserAccountControl">%%2080%%2082%%2084</Data>
-#     <Data Name="UserParameters">%%1793</Data>
-#     <Data Name="SidHistory">-</Data>
-#     <Data Name="LogonHours">%%1797</Data>
-#   </EventData>
\ No newline at end of file
+#- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
+#- <System>
+# <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
+# <EventID>4725</EventID> 
+# <Version>0</Version> 
+# <Level>0</Level> 
+# <Task>13824</Task> 
+# <Opcode>0</Opcode> 
+# <Keywords>0x8020000000000000</Keywords> 
+# <TimeCreated SystemTime="2015-08-21T23:55:07.657358900Z" /> 
+# <EventRecordID>175714</EventRecordID> 
+# <Correlation /> 
+# <Execution ProcessID="520" ThreadID="1112" /> 
+# <Channel>Security</Channel> 
+# <Computer>DC01.contoso.local</Computer> 
+# <Security /> 
+# </System>
+#- <EventData>
+# <Data Name="TargetUserName">Auditor</Data> 
+# <Data Name="TargetDomainName">CONTOSO</Data> 
+# <Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-2104</Data> 
+# <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
+# <Data Name="SubjectUserName">dadmin</Data> 
+# <Data Name="SubjectDomainName">CONTOSO</Data> 
+# <Data Name="SubjectLogonId">0x30d5f</Data> 
+# </EventData>
+# </Event>
diff --git a/evtx/Maps/Security_4726.map b/evtx/Maps/Security_4726.map
index 12c21ccf..dd68be0b 100644
--- a/evtx/Maps/Security_4726.map
+++ b/evtx/Maps/Security_4726.map
@@ -2,6 +2,7 @@ Author: Andrew Rathbun
 Description: A user account was deleted
 EventId: 4726
 Channel: Security
+Provider: Microsoft-Windows-Security-Auditing
 Maps: 
   - 
     Property: UserName
@@ -43,33 +44,35 @@ Maps:
 # RemoteHost
 # ExecutableInfo --> used for things like process command line, scheduled task, info from service install, etc.
 # PayloadData1 through PayloadData6
-
+#
+# Documentation: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4726
+#
 # Example payload data
-#   <EventData>
-#     <Data Name="TargetUserName">defaultuser1</Data>
-#     <Data Name="TargetDomainName">MICROSO-F9QCQ4I</Data>
-#     <Data Name="TargetSid">S-1-5-21-3634127885-2815721165-4177678784-1004</Data>
-#     <Data Name="SubjectUserSid">S-1-5-18</Data>
-#     <Data Name="SubjectUserName">MICROSO-F9QCQ4I$</Data>
-#     <Data Name="SubjectDomainName">TEMP</Data>
-#     <Data Name="SubjectLogonId">0x3E7</Data>
-#     <Data Name="PrivilegeList">-</Data>
-#     <Data Name="SamAccountName">defaultuser1</Data>
-#     <Data Name="DisplayName">%%1793</Data>
-#     <Data Name="UserPrincipalName">-</Data>
-#     <Data Name="HomeDirectory">%%1793</Data>
-#     <Data Name="HomePath">%%1793</Data>
-#     <Data Name="ScriptPath">%%1793</Data>
-#     <Data Name="ProfilePath">%%1793</Data>
-#     <Data Name="UserWorkstations">%%1793</Data>
-#     <Data Name="PasswordLastSet">%%1794</Data>
-#     <Data Name="AccountExpires">%%1794</Data>
-#     <Data Name="PrimaryGroupId">513</Data>
-#     <Data Name="AllowedToDelegateTo">-</Data>
-#     <Data Name="OldUacValue">0x0</Data>
-#     <Data Name="NewUacValue">0x15</Data>
-#     <Data Name="UserAccountControl">%%2080%%2082%%2084</Data>
-#     <Data Name="UserParameters">%%1793</Data>
-#     <Data Name="SidHistory">-</Data>
-#     <Data Name="LogonHours">%%1797</Data>
-#   </EventData>
\ No newline at end of file
+# - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
+#- <System>
+# <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
+# <EventID>4726</EventID> 
+# <Version>0</Version> 
+# <Level>0</Level> 
+# <Task>13824</Task> 
+# <Opcode>0</Opcode> 
+# <Keywords>0x8020000000000000</Keywords> 
+# <TimeCreated SystemTime="2015-08-22T00:52:25.104613800Z" /> 
+# <EventRecordID>175720</EventRecordID> 
+# <Correlation /> 
+# <Execution ProcessID="520" ThreadID="1112" /> 
+# <Channel>Security</Channel> 
+# <Computer>DC01.contoso.local</Computer> 
+# <Security /> 
+# </System>
+#- <EventData>
+# <Data Name="TargetUserName">ksmith</Data> 
+# <Data Name="TargetDomainName">CONTOSO</Data> 
+# <Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-6609</Data> 
+# <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
+# <Data Name="SubjectUserName">dadmin</Data> 
+# <Data Name="SubjectDomainName">CONTOSO</Data> 
+# <Data Name="SubjectLogonId">0x30d5f</Data> 
+# <Data Name="PrivilegeList">-</Data> 
+# </EventData>
+# </Event> 
diff --git a/evtx/Maps/Security_4738.map b/evtx/Maps/Security_4738.map
index 1b779916..ccd2c643 100644
--- a/evtx/Maps/Security_4738.map
+++ b/evtx/Maps/Security_4738.map
@@ -2,6 +2,7 @@ Author: Mike Pilkington
 Description: A user account was changed
 EventId: 4738
 Channel: Security
+Provider: Microsoft-Windows-Security-Auditing
 Maps: 
   - 
     Property: Username
@@ -87,17 +88,33 @@ Maps:
 # RemoteHost
 # ExecutableInfo --> used for things like process command line, scheduled task, info from service install, etc.
 # PayloadData1 through PayloadData6
-
-# Example payload data
+#
+#<Event>
+#  <System>
+#    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="54124625-5478-4994-a5ba-3e3b0328c30d" />
+#    <EventID>4738</EventID>
+#    <Version>0</Version>
+#    <Level>0</Level>
+#    <Task>13824</Task>
+#    <Opcode>0</Opcode>
+#    <Keywords>0x8020000090000000</Keywords>
+#    <TimeCreated SystemTime="2020-10-02 22:18:59.4687500" />
+#    <EventRecordID>63712344901</EventRecordID>
+#    <Correlation />
+#    <Execution ProcessID="552" ThreadID="1928" />
+#    <Channel>Security</Channel>
+#    <Computer>HOSTNAME.domain.com</Computer>
+#    <Security />
+#  </System>
 #  <EventData>
 #    <Data Name="Dummy">-</Data>
-#    <Data Name="TargetUserName">alice</Data>
-#    <Data Name="TargetDomainName">insecurebank</Data>
-#    <Data Name="TargetSid">S-1-5-21-738609754-2819869699-4189121830-1107</Data>
-#    <Data Name="SubjectUserSid">S-1-5-21-738609754-2819869699-4189121830-1108</Data>
-#    <Data Name="SubjectUserName">bob</Data>
-#    <Data Name="SubjectDomainName">insecurebank</Data>
-#    <Data Name="SubjectLogonId">0x3D8E8DB</Data>
+#    <Data Name="TargetUserName">SM_f628653781234ab0a</Data>
+#    <Data Name="TargetDomainName">DOMAIN</Data>
+#    <Data Name="TargetSid">S-1-5-21-796845957-842132446-834562115-120937</Data>
+#    <Data Name="SubjectUserSid">S-1-5-21-791244957-84296758246-835462115-115455</Data>
+#    <Data Name="SubjectUserName">HOSTNAME$</Data>
+#    <Data Name="SubjectDomainName">DOMAIN</Data>
+#    <Data Name="SubjectLogonId">0x1A96FF7</Data>
 #    <Data Name="PrivilegeList">-</Data>
 #    <Data Name="SamAccountName">-</Data>
 #    <Data Name="DisplayName">-</Data>
@@ -107,7 +124,7 @@ Maps:
 #    <Data Name="ScriptPath">-</Data>
 #    <Data Name="ProfilePath">-</Data>
 #    <Data Name="UserWorkstations">-</Data>
-#    <Data Name="PasswordLastSet">-</Data>
+#    <Data Name="PasswordLastSet">10/2/2020 6:18:59 PM</Data>
 #    <Data Name="AccountExpires">-</Data>
 #    <Data Name="PrimaryGroupId">-</Data>
 #    <Data Name="AllowedToDelegateTo">-</Data>
@@ -117,4 +134,5 @@ Maps:
 #    <Data Name="UserParameters">-</Data>
 #    <Data Name="SidHistory">-</Data>
 #    <Data Name="LogonHours">-</Data>
-#  </EventData>
\ No newline at end of file
+#  </EventData>
+#</Event>
diff --git a/evtx/Maps/Security_4740.map b/evtx/Maps/Security_4740.map
index 148bf8e3..59553307 100644
--- a/evtx/Maps/Security_4740.map
+++ b/evtx/Maps/Security_4740.map
@@ -2,6 +2,7 @@ Author: Andrew Rathbun
 Description: A user account was locked out
 EventId: 4740
 Channel: Security
+Provider: Microsoft-Windows-Security-Auditing
 Maps: 
   - 
     Property: UserName
@@ -42,33 +43,32 @@ Maps:
 # RemoteHost
 # ExecutableInfo --> used for things like process command line, scheduled task, info from service install, etc.
 # PayloadData1 through PayloadData6
-
-# Example payload data
-#   <EventData>
-#     <Data Name="TargetUserName">defaultuser1</Data>
-#     <Data Name="TargetDomainName">MICROSO-F9QCQ4I</Data>
-#     <Data Name="TargetSid">S-1-5-21-3634127885-2815721165-4177678784-1004</Data>
-#     <Data Name="SubjectUserSid">S-1-5-18</Data>
-#     <Data Name="SubjectUserName">MICROSO-F9QCQ4I$</Data>
-#     <Data Name="SubjectDomainName">TEMP</Data>
-#     <Data Name="SubjectLogonId">0x3E7</Data>
-#     <Data Name="PrivilegeList">-</Data>
-#     <Data Name="SamAccountName">defaultuser1</Data>
-#     <Data Name="DisplayName">%%1793</Data>
-#     <Data Name="UserPrincipalName">-</Data>
-#     <Data Name="HomeDirectory">%%1793</Data>
-#     <Data Name="HomePath">%%1793</Data>
-#     <Data Name="ScriptPath">%%1793</Data>
-#     <Data Name="ProfilePath">%%1793</Data>
-#     <Data Name="UserWorkstations">%%1793</Data>
-#     <Data Name="PasswordLastSet">%%1794</Data>
-#     <Data Name="AccountExpires">%%1794</Data>
-#     <Data Name="PrimaryGroupId">513</Data>
-#     <Data Name="AllowedToDelegateTo">-</Data>
-#     <Data Name="OldUacValue">0x0</Data>
-#     <Data Name="NewUacValue">0x15</Data>
-#     <Data Name="UserAccountControl">%%2080%%2082%%2084</Data>
-#     <Data Name="UserParameters">%%1793</Data>
-#     <Data Name="SidHistory">-</Data>
-#     <Data Name="LogonHours">%%1797</Data>
-#   </EventData>
+#
+# Example of payload data
+<Event>
+  <System>
+    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="54842345-5478-4994-a5ba-3e3b0328c30d" />
+    <EventID>4740</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>13845</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000090000</Keywords>
+    <TimeCreated SystemTime="2020-10-03 08:22:47.8750000" />
+    <EventRecordID>6375965559</EventRecordID>
+    <Correlation />
+    <Execution ProcessID="552" ThreadID="1236" />
+    <Channel>Security</Channel>
+    <Computer>HOSTNAME.domain.com</Computer>
+    <Security />
+  </System>
+  <EventData>
+    <Data Name="TargetUserName">username</Data>
+    <Data Name="TargetDomainName">DOMAIN</Data>
+    <Data Name="TargetSid">S-1-5-21-796856757-842925246-838762115-147259</Data>
+    <Data Name="SubjectUserSid">S-1-5-18</Data>
+    <Data Name="SubjectUserName">DOMAIN$</Data>
+    <Data Name="SubjectDomainName">DOMAIN</Data>
+    <Data Name="SubjectLogonId">0x3F7</Data>
+  </EventData>
+</Event>
diff --git a/evtx/Maps/Security_4742.map b/evtx/Maps/Security_4742.map
index a13d87a9..1d6b45c0 100644
--- a/evtx/Maps/Security_4742.map
+++ b/evtx/Maps/Security_4742.map
@@ -2,6 +2,7 @@ Author: Mike Pilkington
 Description: A computer account was changed
 EventId: 4742
 Channel: Security
+Provider: Microsoft-Windows-Security-Auditing
 Maps: 
   - 
     Property: Username
@@ -93,37 +94,56 @@ Maps:
 # RemoteHost
 # ExecutableInfo --> used for things like process command line, scheduled task, info from service install, etc.
 # PayloadData1 through PayloadData6
-
+#
+# https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4742
+#
 # Example payload data
-#  <EventData>
-#    <Data Name="ComputerAccountChange">-</Data>
-#    <Data Name="TargetUserName">ALICE$</Data>
-#    <Data Name="TargetDomainName">insecurebank</Data>
-#    <Data Name="TargetSid">S-1-5-21-738609754-2819869699-4189121830-1120</Data>
-#    <Data Name="SubjectUserSid">S-1-5-21-738609754-2819869699-4189121830-500</Data>
-#    <Data Name="SubjectUserName">Administrator</Data>
-#    <Data Name="SubjectDomainName">insecurebank</Data>
-#    <Data Name="SubjectLogonId">0x418A6DA</Data>
-#    <Data Name="PrivilegeList">-</Data>
-
-#    <Data Name="SamAccountName">-</Data>
-#    <Data Name="DisplayName">-</Data>
-#    <Data Name="UserPrincipalName">-</Data>
-#    <Data Name="HomeDirectory">-</Data>
-#    <Data Name="HomePath">-</Data>
-#    <Data Name="ScriptPath">-</Data>
-#    <Data Name="ProfilePath">-</Data>
-#    <Data Name="UserWorkstations">-</Data>
-#    <Data Name="PasswordLastSet">-</Data>
-#    <Data Name="AccountExpires">-</Data>
-#    <Data Name="PrimaryGroupId">-</Data>
-#    <Data Name="AllowedToDelegateTo">-</Data>
-#    <Data Name="OldUacValue">-</Data>
-#    <Data Name="NewUacValue">-</Data>
-#    <Data Name="UserAccountControl">-</Data>
-#    <Data Name="UserParameters">-</Data>
-#    <Data Name="SidHistory">-</Data>
-#    <Data Name="LogonHours">-</Data>
-#    <Data Name="DnsHostName">-</Data>
-#    <Data Name="ServicePrincipalNames">, HOST/alice.insecurebank.local, RestrictedKrbHost/alice.insecurebank.local, HOST/ALICE, RestrictedKrbHost/ALICE, TERMSRV/alice.insecurebank.local, TERMSRV/ALICE, WSMAN/alice.insecurebank.local, WSMAN/alice, E3514235-4B06-11D1-AB04-00C04FC2DCD2/ae9a3b29-01d1-4851-8ca8-e49cd3985e5b/insecurebank.local</Data>
-#  </EventData>
\ No newline at end of file
+#- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
+#- <System>
+# <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
+# <EventID>4742</EventID> 
+# <Version>0</Version> 
+# <Level>0</Level> 
+# <Task>13825</Task> 
+# <Opcode>0</Opcode> 
+# <Keywords>0x8020000000000000</Keywords> 
+# <TimeCreated SystemTime="2015-08-14T02:35:01.252397000Z" /> 
+# <EventRecordID>171754</EventRecordID> 
+# <Correlation /> 
+# <Execution ProcessID="520" ThreadID="1108" /> 
+# <Channel>Security</Channel> 
+# <Computer>DC01.contoso.local</Computer> 
+# <Security /> 
+# </System>
+#- <EventData>
+# <Data Name="ComputerAccountChange">-</Data> 
+# <Data Name="TargetUserName">WIN81$</Data> 
+# <Data Name="TargetDomainName">CONTOSO</Data> 
+# <Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-6116</Data> 
+# <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
+# <Data Name="SubjectUserName">dadmin</Data> 
+# <Data Name="SubjectDomainName">CONTOSO</Data> 
+# <Data Name="SubjectLogonId">0x2e80c</Data> 
+# <Data Name="PrivilegeList">-</Data> 
+# <Data Name="SamAccountName">-</Data> 
+# <Data Name="DisplayName">-</Data> 
+# <Data Name="UserPrincipalName">-</Data> 
+# <Data Name="HomeDirectory">-</Data> 
+# <Data Name="HomePath">-</Data> 
+# <Data Name="ScriptPath">-</Data> 
+# <Data Name="ProfilePath">-</Data> 
+# <Data Name="UserWorkstations">-</Data> 
+# <Data Name="PasswordLastSet">-</Data> 
+# <Data Name="AccountExpires">-</Data> 
+# <Data Name="PrimaryGroupId">-</Data> 
+# <Data Name="AllowedToDelegateTo">%%1793</Data> 
+# <Data Name="OldUacValue">0x80</Data> 
+# <Data Name="NewUacValue">0x2080</Data> 
+# <Data Name="UserAccountControl">%%2093</Data> 
+# <Data Name="UserParameters">-</Data> 
+# <Data Name="SidHistory">-</Data> 
+# <Data Name="LogonHours">-</Data> 
+# <Data Name="DnsHostName">-</Data> 
+# <Data Name="ServicePrincipalNames">-</Data> 
+# </EventData>
+# </Event>
diff --git a/evtx/Maps/Security_4768.map b/evtx/Maps/Security_4768.map
index 50979787..f64af51b 100644
--- a/evtx/Maps/Security_4768.map
+++ b/evtx/Maps/Security_4768.map
@@ -2,6 +2,7 @@ Author: Eric Zimmerman saericzimmerman@gmail.com
 Description: A Kerberos authentication ticket (TGT) was requested
 EventId: 4768
 Channel: Security
+Provider: Microsoft-Windows-Security-Auditing
 Maps: 
   - 
     Property: PayloadData1
@@ -14,8 +15,6 @@ Maps:
         Name: user
         Value: "/Event/EventData/Data[@Name=\"TargetUserName\"]"
 
-
-
 # Valid properties include:
 # UserName
 # RemoteHost
diff --git a/evtx/Maps/Security_4769.map b/evtx/Maps/Security_4769.map
index 316b7749..f2c58520 100644
--- a/evtx/Maps/Security_4769.map
+++ b/evtx/Maps/Security_4769.map
@@ -2,6 +2,7 @@ Author: Eric Zimmerman saericzimmerman@gmail.com
 Description: A Kerberos service ticket was requested
 EventId: 4769
 Channel: Security
+Provider: Microsoft-Windows-Security-Auditing
 Maps: 
   - 
     Property: PayloadData1
diff --git a/evtx/Maps/Security_4776.map b/evtx/Maps/Security_4776.map
index b8f3ff99..ffa310fa 100644
--- a/evtx/Maps/Security_4776.map
+++ b/evtx/Maps/Security_4776.map
@@ -2,6 +2,7 @@ Author: Eric Zimmerman saericzimmerman@gmail.com
 Description: NTLM authentication request
 EventId: 4776
 Channel: Security
+Provider: Microsoft-Windows-Security-Auditing
 Maps: 
   - 
     Property: PayloadData1
diff --git a/evtx/Maps/Security_4778.map b/evtx/Maps/Security_4778.map
index 7b609f47..a1d9609a 100644
--- a/evtx/Maps/Security_4778.map
+++ b/evtx/Maps/Security_4778.map
@@ -2,6 +2,7 @@ Author: Eric Zimmerman saericzimmerman@gmail.com
 Description: RDP reconnecting
 EventId: 4778
 Channel: Security
+Provider: Microsoft-Windows-Security-Auditing
 Maps: 
   - 
     Property: Username
diff --git a/evtx/Maps/Security_4779.map b/evtx/Maps/Security_4779.map
index 8c6730fc..9a552dae 100644
--- a/evtx/Maps/Security_4779.map
+++ b/evtx/Maps/Security_4779.map
@@ -2,6 +2,7 @@ Author: Eric Zimmerman saericzimmerman@gmail.com
 Description: RDP disconnecting
 EventId: 4779
 Channel: Security
+Provider: Microsoft-Windows-Security-Auditing
 Maps: 
   - 
     Property: Username
diff --git a/evtx/Maps/Security_4798.map b/evtx/Maps/Security_4798.map
index 61351826..2b6bd7aa 100644
--- a/evtx/Maps/Security_4798.map
+++ b/evtx/Maps/Security_4798.map
@@ -2,6 +2,7 @@ Author: Andrew Rathbun
 Description: A user's local group membership was enumerated
 EventId: 4798
 Channel: Security
+Provider: Microsoft-Windows-Security-Auditing
 Maps: 
   - 
     Property: UserName
@@ -58,31 +59,32 @@ Maps:
 # PayloadData1 through PayloadData6
 
 # Example payload data
-#   <EventData>
-#     <Data Name="TargetUserName">defaultuser1</Data>
-#     <Data Name="TargetDomainName">MICROSO-F9QCQ4I</Data>
-#     <Data Name="TargetSid">S-1-5-21-3634127885-2815721165-4177678784-1004</Data>
-#     <Data Name="SubjectUserSid">S-1-5-18</Data>
-#     <Data Name="SubjectUserName">MICROSO-F9QCQ4I$</Data>
-#     <Data Name="SubjectDomainName">TEMP</Data>
-#     <Data Name="SubjectLogonId">0x3E7</Data>
-#     <Data Name="PrivilegeList">-</Data>
-#     <Data Name="SamAccountName">defaultuser1</Data>
-#     <Data Name="DisplayName">%%1793</Data>
-#     <Data Name="UserPrincipalName">-</Data>
-#     <Data Name="HomeDirectory">%%1793</Data>
-#     <Data Name="HomePath">%%1793</Data>
-#     <Data Name="ScriptPath">%%1793</Data>
-#     <Data Name="ProfilePath">%%1793</Data>
-#     <Data Name="UserWorkstations">%%1793</Data>
-#     <Data Name="PasswordLastSet">%%1794</Data>
-#     <Data Name="AccountExpires">%%1794</Data>
-#     <Data Name="PrimaryGroupId">513</Data>
-#     <Data Name="AllowedToDelegateTo">-</Data>
-#     <Data Name="OldUacValue">0x0</Data>
-#     <Data Name="NewUacValue">0x15</Data>
-#     <Data Name="UserAccountControl">%%2080%%2082%%2084</Data>
-#     <Data Name="UserParameters">%%1793</Data>
-#     <Data Name="SidHistory">-</Data>
-#     <Data Name="LogonHours">%%1797</Data>
-#   </EventData>
\ No newline at end of file
+# <Event>
+#  <System>
+#    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="54849625-5478-4994-a5ba-3e3b0128c30d" />
+#    <EventID>4798</EventID>
+#    <Version>0</Version>
+#    <Level>0</Level>
+#    <Task>13254</Task>
+#    <Opcode>0</Opcode>
+#    <Keywords>0x8040000000000000</Keywords>
+#    <TimeCreated SystemTime="2020-10-01 16:41:24.3239327" />
+#    <EventRecordID>262345693</EventRecordID>
+#    <Correlation ActivityID="2de45afs-8eb1-0002-050h-e82df18ed601" />
+#    <Execution ProcessID="732" ThreadID="72728" />
+#    <Channel>Security</Channel>
+#    <Computer>HOSTNAME.domain.com</Computer>
+#    <Security />
+#  </System>
+#  <EventData>
+#    <Data Name="TargetUserName">Administrator</Data>
+#    <Data Name="TargetDomainName">HOSTNAME</Data>
+#    <Data Name="TargetSid">S-1-5-21-1622784062-108344387-1250442527-500</Data>
+#    <Data Name="SubjectUserSid">S-1-5-21-527236740-1500820517-725445543-894330</Data>
+#    <Data Name="SubjectUserName">username</Data>
+#    <Data Name="SubjectDomainName">domain</Data>
+#    <Data Name="SubjectLogonId">0x1E234AD14</Data>
+#    <Data Name="CallerProcessId">0x58F4</Data>
+#    <Data Name="CallerProcessName">C:\Windows\System32\Sysprep\sysprep.exe</Data>
+#  </EventData>
+#</Event>
diff --git a/evtx/Maps/Security_4799.map b/evtx/Maps/Security_4799.map
index c8255e44..010eccb8 100644
--- a/evtx/Maps/Security_4799.map
+++ b/evtx/Maps/Security_4799.map
@@ -2,6 +2,7 @@ Author: Andrew Rathbun
 Description:  A security-enabled local group membership was enumerated 
 EventId: 4799
 Channel: Security
+Provider: Microsoft-Windows-Security-Auditing
 Maps: 
   - 
     Property: UserName
@@ -58,31 +59,32 @@ Maps:
 # PayloadData1 through PayloadData6
 
 # Example payload data
-#   <EventData>
-#     <Data Name="TargetUserName">defaultuser1</Data>
-#     <Data Name="TargetDomainName">MICROSO-F9QCQ4I</Data>
-#     <Data Name="TargetSid">S-1-5-21-3634127885-2815721165-4177678784-1004</Data>
-#     <Data Name="SubjectUserSid">S-1-5-18</Data>
-#     <Data Name="SubjectUserName">MICROSO-F9QCQ4I$</Data>
-#     <Data Name="SubjectDomainName">TEMP</Data>
-#     <Data Name="SubjectLogonId">0x3E7</Data>
-#     <Data Name="PrivilegeList">-</Data>
-#     <Data Name="SamAccountName">defaultuser1</Data>
-#     <Data Name="DisplayName">%%1793</Data>
-#     <Data Name="UserPrincipalName">-</Data>
-#     <Data Name="HomeDirectory">%%1793</Data>
-#     <Data Name="HomePath">%%1793</Data>
-#     <Data Name="ScriptPath">%%1793</Data>
-#     <Data Name="ProfilePath">%%1793</Data>
-#     <Data Name="UserWorkstations">%%1793</Data>
-#     <Data Name="PasswordLastSet">%%1794</Data>
-#     <Data Name="AccountExpires">%%1794</Data>
-#     <Data Name="PrimaryGroupId">513</Data>
-#     <Data Name="AllowedToDelegateTo">-</Data>
-#     <Data Name="OldUacValue">0x0</Data>
-#     <Data Name="NewUacValue">0x15</Data>
-#     <Data Name="UserAccountControl">%%2080%%2082%%2084</Data>
-#     <Data Name="UserParameters">%%1793</Data>
-#     <Data Name="SidHistory">-</Data>
-#     <Data Name="LogonHours">%%1797</Data>
-#   </EventData>
\ No newline at end of file
+#<Event>
+#  <System>
+#    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="54849625-5478-4994-a5ba-3e3b0328c30d" />
+#    <EventID>4799</EventID>
+#    <Version>0</Version>
+#    <Level>0</Level>
+#    <Task>13845</Task>
+#    <Opcode>0</Opcode>
+#    <Keywords>0x8000300000000000</Keywords>
+#    <TimeCreated SystemTime="2020-10-14 06:47:41.5065296" />
+#    <EventRecordID>245996201</EventRecordID>
+#    <Correlation ActivityID="b33389da-a120-0030-ad89-30b340a1d601" />
+#    <Execution ProcessID="768" ThreadID="18352" />
+#    <Channel>Security</Channel>
+#    <Computer>HOSTNAME.domain.com</Computer>
+#    <Security />
+#  </System>
+#  <EventData>
+#    <Data Name="TargetUserName">Administrators</Data>
+#    <Data Name="TargetDomainName">Builtin</Data>
+#    <Data Name="TargetSid">S-1-5-32-123</Data>
+#    <Data Name="SubjectUserSid">S-1-5-18</Data>
+#    <Data Name="SubjectUserName">ANONYMOUSUSER</Data>
+#    <Data Name="SubjectDomainName">DOMAIN</Data>
+#    <Data Name="SubjectLogonId">0x3F3</Data>
+#    <Data Name="CallerProcessId">0x123</Data>
+#    <Data Name="CallerProcessName">C:\Windows\System32\svchost.exe</Data>
+#  </EventData>
+#</Event>
diff --git a/evtx/Maps/Security_4800.map b/evtx/Maps/Security_4800.map
index b6dd65bd..5fc6324e 100644
--- a/evtx/Maps/Security_4800.map
+++ b/evtx/Maps/Security_4800.map
@@ -2,6 +2,7 @@ Author: Barrie Hill barrie0482@gmail.com
 Description: The workstation was locked
 EventId: 4800
 Channel: Security
+Provider: Microsoft-Windows-Security-Auditing
 Maps: 
   - 
     Property: PayloadData1
diff --git a/evtx/Maps/Security_4801.map b/evtx/Maps/Security_4801.map
index 01377423..60bb3efd 100644
--- a/evtx/Maps/Security_4801.map
+++ b/evtx/Maps/Security_4801.map
@@ -2,6 +2,7 @@ Author: Barrie Hill barrie0482@gmail.com
 Description: The workstation was unlocked
 EventId: 4801
 Channel: Security
+Provider: Microsoft-Windows-Security-Auditing
 Maps: 
   - 
     Property: PayloadData1
@@ -24,7 +25,7 @@ Maps:
 # <Event>
 #   <System>
 #       <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" /> 
-#       <EventID>4802</EventID> 
+#       <EventID>4801</EventID> 
 #       <Version>0</Version> 
 #       <Level>0</Level> 
 #       <Task>12551</Task> 
diff --git a/evtx/Maps/Security_4802.map b/evtx/Maps/Security_4802.map
index 4f75fd6b..a0de4c6c 100644
--- a/evtx/Maps/Security_4802.map
+++ b/evtx/Maps/Security_4802.map
@@ -2,6 +2,7 @@ Author: Barrie Hill barrie0482@gmail.com
 Description: The screen saver was invoked
 EventId: 4802
 Channel: Security
+Provider: Microsoft-Windows-Security-Auditing
 Maps: 
   - 
     Property: PayloadData1
diff --git a/evtx/Maps/Security_4803.map b/evtx/Maps/Security_4803.map
index c32a75f5..6f5e7034 100644
--- a/evtx/Maps/Security_4803.map
+++ b/evtx/Maps/Security_4803.map
@@ -2,6 +2,7 @@ Author: Barrie Hill barrie0482@gmail.com
 Description: The screen saver was dismissed
 EventId: 4803
 Channel: Security
+Provider: Microsoft-Windows-Security-Auditing
 Maps: 
   - 
     Property: PayloadData1
diff --git a/evtx/Maps/Security_5136.map b/evtx/Maps/Security_5136.map
index 1cb3fed4..187660fb 100644
--- a/evtx/Maps/Security_5136.map
+++ b/evtx/Maps/Security_5136.map
@@ -2,6 +2,7 @@ Author: Mike Pilkington
 Description: A directory service object was modified 
 EventId: 5136
 Channel: Security
+Provider: Microsoft-Windows-Security-Auditing
 Maps: 
   - 
     Property: Username
@@ -44,22 +45,46 @@ Maps:
 
 # Valid properties include:
 # UserName
-
+# RemoteHost
+# ExecutableInfo --> used for things like
+# PayloadData1 through PayloadData6      
+#
+# https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136
+#
 # Example payload data
 #  <EventData>
-#    <Data Name="OpCorrelationID">2ea9670c-f0f9-4d3f-90e5-a087e8c05863</Data>
-#    <Data Name="AppCorrelationID">-</Data>
-#    <Data Name="SubjectUserSid">S-1-5-21-738609754-2819869699-4189121830-1108</Data>
-#    <Data Name="SubjectUserName">bob</Data>
-#    <Data Name="SubjectDomainName">insecurebank</Data>
-#    <Data Name="SubjectLogonId">0x40F2719</Data>
-#    <Data Name="DSName">insecurebank.local</Data>
-#    <Data Name="DSType">%%14676</Data>
-#    <Data Name="ObjectDN">DC=insecurebank,DC=local</Data>
-#    <Data Name="ObjectGUID">c6faf700-bfe4-452a-a766-424f84c29583</Data>
-#    <Data Name="ObjectClass">domainDNS</Data>
-#    <Data Name="AttributeLDAPDisplayName">nTSecurityDescriptor</Data>
-#    <Data Name="AttributeSyntaxOID">2.5.5.15</Data>
-#    <Data Name="AttributeValue">O:BAG:BAD:AI(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;3e0f7e18-2c7a-4c10-ba82-4d926db99a3e;;S-1-5-21-738609754-2819869699-4189121830-522)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-498)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)(OA;CIIO;LCRPLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;LCRPLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;LCRPLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)(OA;OICI;RPWP;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;PS)(OA;CIIO;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;;CCLCSWRPWPLOCRRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-738609754-2819869699-4189121830-519)(A;;RPRC;;;RU)(A;CI;LC;;;RU)(A;CI;CCLCSWRPWPLOCRSDRCWDWO;;;BA)(A;;RP;;;WD)(A;;LCRPLORC;;;ED)(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(AU;SA;CR;;;DU)(AU;SA;CR;;;BA)(AU;SA;WPWDWO;;;WD)</Data>
-#    <Data Name="OperationType">%%14675</Data>
-#  </EventData>
\ No newline at end of file
+#- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
+#- <System>
+# <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
+# <EventID>5136</EventID> 
+# <Version>0</Version> 
+# <Level>0</Level> 
+# <Task>14081</Task> 
+# <Opcode>0</Opcode> 
+# <Keywords>0x8020000000000000</Keywords> 
+# <TimeCreated SystemTime="2015-08-28T17:36:04.129472600Z" /> 
+# <EventRecordID>410204</EventRecordID> 
+# <Correlation /> 
+# <Execution ProcessID="516" ThreadID="4020" /> 
+# <Channel>Security</Channel> 
+# <Computer>DC01.contoso.local</Computer> 
+# <Security /> 
+# </System>
+#- <EventData>
+# <Data Name="OpCorrelationID">{02647639-8626-43CE-AFE6-7AA1AD657739}</Data> 
+# <Data Name="AppCorrelationID">-</Data> 
+# <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
+# <Data Name="SubjectUserName">dadmin</Data> 
+# <Data Name="SubjectDomainName">CONTOSO</Data> 
+# <Data Name="SubjectLogonId">0x32004</Data> 
+# <Data Name="DSName">contoso.local</Data> 
+# <Data Name="DSType">%%14676</Data> 
+# <Data Name="ObjectDN">CN=Sergey,CN=Builtin,DC=contoso,DC=local</Data> 
+# <Data Name="ObjectGUID">{4FE80A66-5F93-4F73-B215-68678058E613}</Data> 
+# <Data Name="ObjectClass">user</Data> 
+# <Data Name="AttributeLDAPDisplayName">userAccountControl</Data> 
+# <Data Name="AttributeSyntaxOID">2.5.5.9</Data> 
+# <Data Name="AttributeValue">512</Data> 
+# <Data Name="OperationType">%%14675</Data> 
+# </EventData>
+# </Event>
diff --git a/evtx/Maps/Security_5140.map b/evtx/Maps/Security_5140.map
index d766b72a..3a309d7e 100644
--- a/evtx/Maps/Security_5140.map
+++ b/evtx/Maps/Security_5140.map
@@ -2,6 +2,7 @@ Author: Eric Zimmerman saericzimmerman@gmail.com
 Description: Share access
 EventId: 5140
 Channel: Security
+Provider: Microsoft-Windows-Security-Auditing
 Maps: 
   - 
     Property: Username
@@ -46,18 +47,39 @@ Maps:
 # RemoteHost
 # ExecutableInfo --> used for things like process command line, scheduled task, info from service install, etc.
 # PayloadData1 through PayloadData6
-
+#
+# https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5140
+#
 # Example payload data
-#   <EventData>
-#     <Data Name="SubjectUserSid">S-1-5-21-100689374-1717798114-2601648136-1001</Data>
-#     <Data Name="SubjectUserName">SRL-Helpdesk</Data>
-#     <Data Name="SubjectDomainName">WKS-WIN732BITA</Data>
-#     <Data Name="SubjectLogonId">0x174A094B</Data>
-#     <Data Name="ObjectType">File</Data>
-#     <Data Name="IpAddress">10.3.58.7</Data>
-#     <Data Name="IpPort">4508</Data>
-#     <Data Name="ShareName">\\*\ADMIN$</Data>
-#     <Data Name="ShareLocalPath">\??\C:\Windows</Data>
-#     <Data Name="AccessMask">0x1</Data>
-#     <Data Name="AccessList">%%4416</Data>
-#   </EventData>
\ No newline at end of file
+#- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
+#- <System>
+# <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
+# <EventID>5140</EventID> 
+# <Version>1</Version> 
+# <Level>0</Level> 
+# <Task>12808</Task> 
+# <Opcode>0</Opcode> 
+# <Keywords>0x8020000000000000</Keywords> 
+# <TimeCreated SystemTime="2015-09-18T02:45:13.581231400Z" /> 
+# <EventRecordID>268495</EventRecordID> 
+# <Correlation /> 
+# <Execution ProcessID="4" ThreadID="772" /> 
+# <Channel>Security</Channel> 
+# <Computer>DC01.contoso.local</Computer> 
+# <Security /> 
+# </System>
+#- <EventData>
+# <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
+# <Data Name="SubjectUserName">dadmin</Data> 
+# <Data Name="SubjectDomainName">CONTOSO</Data> 
+# <Data Name="SubjectLogonId">0x541f35</Data> 
+# <Data Name="ObjectType">File</Data> 
+# <Data Name="IpAddress">10.0.0.100</Data> 
+# <Data Name="IpPort">49212</Data> 
+# <Data Name="ShareName">\\\\\*\\Documents</Data> 
+# <Data Name="ShareLocalPath">\\??\\C:\\Documents</Data> 
+# <Data Name="AccessMask">0x1</Data> 
+# <Data Name="AccessList">%%4416</Data> 
+# </EventData>
+# </Event>
+
diff --git a/evtx/Maps/Security_5142.map b/evtx/Maps/Security_5142.map
index eb1bbc70..e07a384b 100644
--- a/evtx/Maps/Security_5142.map
+++ b/evtx/Maps/Security_5142.map
@@ -2,6 +2,7 @@ Author: Mike Pilkington
 Description: Local network share added
 EventId: 5142
 Channel: Security
+Provider: Microsoft-Windows-Security-Auditing
 Maps: 
   - 
     Property: Username
@@ -40,14 +41,33 @@ Maps:
 # RemoteHost
 # ExecutableInfo --> used for things like process command line, scheduled task, info from service install, etc.
 # PayloadData1 through PayloadData6
-
+#
+# https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5142
+#
 # Example payload data
-#  <EventData>
-#    <Data Name="SubjectUserSid">S-1-5-21-3583694148-1414552638-2922671848-1000</Data>
-#    <Data Name="SubjectUserName">IEUser</Data>
-#    <Data Name="SubjectDomainName">PC04</Data>
-#    <Data Name="SubjectLogonId">0x128A9</Data>
-#    <Data Name="ShareName">\\*\PRINT</Data>
-#    <Data Name="ShareLocalPath">c:\windows\system32</Data>
-#  </EventData>
-#</Event>
\ No newline at end of file
+#- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
+#- <System>
+# <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
+# <EventID>5142</EventID> 
+# <Version>0</Version> 
+# <Level>0</Level> 
+# <Task>12808</Task> 
+# <Opcode>0</Opcode> 
+# <Keywords>0x8020000000000000</Keywords> 
+# <TimeCreated SystemTime="2015-09-18T02:27:01.206646900Z" /> 
+# <EventRecordID>268462</EventRecordID> 
+# <Correlation /> 
+# <Execution ProcessID="4" ThreadID="4304" /> 
+# <Channel>Security</Channel> 
+# <Computer>DC01.contoso.local</Computer> 
+# <Security /> 
+# </System>
+#- <EventData>
+# <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
+# <Data Name="SubjectUserName">dadmin</Data> 
+# <Data Name="SubjectDomainName">CONTOSO</Data> 
+# <Data Name="SubjectLogonId">0x38d12</Data> 
+# <Data Name="ShareName">\\\\\*\\Documents</Data> 
+# <Data Name="ShareLocalPath">C:\\Documents</Data> 
+# </EventData>
+# </Event>
diff --git a/evtx/Maps/Security_5144.map b/evtx/Maps/Security_5144.map
index 04cd3465..0da692da 100644
--- a/evtx/Maps/Security_5144.map
+++ b/evtx/Maps/Security_5144.map
@@ -2,6 +2,7 @@ Author: Mike Pilkington
 Description: Local network share deleted
 EventId: 5144
 Channel: Security
+Provider: Microsoft-Windows-Security-Auditing
 Maps: 
   - 
     Property: Username
@@ -40,14 +41,33 @@ Maps:
 # RemoteHost
 # ExecutableInfo --> used for things like process command line, scheduled task, info from service install, etc.
 # PayloadData1 through PayloadData6
-
+#
+# https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5144
+#
 # Example payload data
-#  <EventData>
-#    <Data Name="SubjectUserSid">S-1-5-21-3583694148-1414552638-2922671848-1000</Data>
-#    <Data Name="SubjectUserName">IEUser</Data>
-#    <Data Name="SubjectDomainName">PC04</Data>
-#    <Data Name="SubjectLogonId">0x128A9</Data>
-#    <Data Name="ShareName">\\*\PRINT</Data>
-#    <Data Name="ShareLocalPath">c:\windows\system32</Data>
-#  </EventData>
-#</Event>
\ No newline at end of file
+#- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
+#- <System>
+# <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
+# <EventID>5144</EventID> 
+# <Version>0</Version> 
+# <Level>0</Level> 
+# <Task>12808</Task> 
+# <Opcode>0</Opcode> 
+# <Keywords>0x8020000000000000</Keywords> 
+# <TimeCreated SystemTime="2015-09-18T02:17:14.820551800Z" /> 
+# <EventRecordID>268368</EventRecordID> 
+# <Correlation /> 
+# <Execution ProcessID="4" ThreadID="4656" /> 
+# <Channel>Security</Channel> 
+# <Computer>DC01.contoso.local</Computer> 
+# <Security /> 
+# </System>
+#- <EventData>
+# <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
+# <Data Name="SubjectUserName">dadmin</Data> 
+# <Data Name="SubjectDomainName">CONTOSO</Data> 
+# <Data Name="SubjectLogonId">0x38d12</Data> 
+# <Data Name="ShareName">\\\\\*\\Documents</Data> 
+# <Data Name="ShareLocalPath">C:\\Documents</Data> 
+# </EventData>
+# </Event>
diff --git a/evtx/Maps/Security_5145.map b/evtx/Maps/Security_5145.map
index e678bb30..b9bb878c 100644
--- a/evtx/Maps/Security_5145.map
+++ b/evtx/Maps/Security_5145.map
@@ -2,6 +2,7 @@ Author: Mike Pilkington
 Description: Network share object access
 EventId: 5145
 Channel: Security
+Provider: Microsoft-Windows-Security-Auditing
 Maps: 
   - 
     Property: Username
@@ -63,21 +64,40 @@ Maps:
 # RemoteHost
 # ExecutableInfo --> used for things like process command line, scheduled task, info from service install, etc.
 # PayloadData1 through PayloadData6
-
+#
+# https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5145
+#
 # Example payload data
-#  <EventData>
-#    <Data Name="SubjectUserSid">S-1-5-21-3583694148-1414552638-2922671848-1000</Data>
-#    <Data Name="SubjectUserName">IEUser</Data>
-#    <Data Name="SubjectDomainName">PC01</Data>
-#    <Data Name="SubjectLogonId">0x95C2E</Data>
-#    <Data Name="ObjectType">File</Data>
-#    <Data Name="IpAddress">10.0.2.16</Data>
-#    <Data Name="IpPort">59492</Data>
-#    <Data Name="ShareName">\\*\ADMIN$</Data>
-#    <Data Name="ShareLocalPath">\??\C:\Windows</Data>
-#    <Data Name="RelativeTargetName">\</Data>
-#    <Data Name="AccessMask">0x100088</Data>
-#    <Data Name="AccessList">%%1541, %%4419, %%4423, </Data>
-#    <Data Name="AccessReason">-</Data>
-#  </EventData>
-#</Event>
\ No newline at end of file
+#- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
+#- <System>
+# <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
+# <EventID>5145</EventID> 
+# <Version>0</Version> 
+# <Level>0</Level> 
+# <Task>12811</Task> 
+# <Opcode>0</Opcode> 
+# <Keywords>0x8020000000000000</Keywords> 
+# <TimeCreated SystemTime="2015-09-17T23:54:48.941761700Z" /> 
+# <EventRecordID>267092</EventRecordID> 
+# <Correlation /> 
+# <Execution ProcessID="516" ThreadID="524" /> 
+# <Channel>Security</Channel> 
+# <Computer>DC01.contoso.local</Computer> 
+# <Security /> 
+# </System>
+#- <EventData>
+# <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
+# <Data Name="SubjectUserName">dadmin</Data> 
+# <Data Name="SubjectDomainName">CONTOSO</Data> 
+# <Data Name="SubjectLogonId">0x38d34</Data> 
+# <Data Name="ObjectType">File</Data> 
+# <Data Name="IpAddress">fe80::31ea:6c3c:f40d:1973</Data> 
+# <Data Name="IpPort">56926</Data> 
+# <Data Name="ShareName">\\\\\*\\Documents</Data> 
+# <Data Name="ShareLocalPath">\\??\\C:\\Documents</Data> 
+# <Data Name="RelativeTargetName">Bginfo.exe</Data> 
+# <Data Name="AccessMask">0x100081</Data> 
+# <Data Name="AccessList">%%1541 %%4416 %%4423</Data> 
+# <Data Name="AccessReason">%%1541: %%1801 D:(A;;FA;;;WD) %%4416: %%1801 D:(A;;FA;;;WD) %%4423: %%1801 D:(A;;FA;;;WD)</Data> 
+# </EventData>
+# </Event>
diff --git a/evtx/Maps/Security_5156.map b/evtx/Maps/Security_5156.map
index d88a063d..b0335355 100644
--- a/evtx/Maps/Security_5156.map
+++ b/evtx/Maps/Security_5156.map
@@ -2,6 +2,7 @@ Author: Eric Zimmerman saericzimmerman@gmail.com
 Description: The Windows Filtering Platform has allowed a connection
 EventId: 5156
 Channel: Security
+Provider: Microsoft-Windows-Security-Auditing
 Maps: 
   -
     Property: ExecutableInfo
diff --git a/evtx/Maps/Symantec-Endpoint-Protection-Client_51.map b/evtx/Maps/Symantec-Endpoint-Protection-Client_51.map
index f24f9de7..87a62d73 100644
--- a/evtx/Maps/Symantec-Endpoint-Protection-Client_51.map
+++ b/evtx/Maps/Symantec-Endpoint-Protection-Client_51.map
@@ -2,6 +2,7 @@ Author: Gabriele Zambelli @gazambelli
 Description: Security Risk Found
 EventId: 51
 Channel: "Symantec Endpoint Protection Client"
+Provider: "Symantec Endpoint Protection Client"
 Maps: 
   - 
     Property: ExecutableInfo
diff --git a/evtx/Maps/System-Audit-CVE_2.map b/evtx/Maps/System-Audit-CVE_2.map
index 55f18144..dd1e4d54 100644
--- a/evtx/Maps/System-Audit-CVE_2.map
+++ b/evtx/Maps/System-Audit-CVE_2.map
@@ -1,7 +1,8 @@
 Author: Troy Larson
 Description:  An attempt to exploit a known vulnerability detected.
 EventId: 2
-Channel: "System"
+Channel: System
+Provider: Microsoft-Windows-Audit-CVE
 Maps: 
   - 
     Property: PayloadData1
diff --git a/evtx/Maps/System_1.map b/evtx/Maps/System_1.map
index d765fe56..024fd60e 100644
--- a/evtx/Maps/System_1.map
+++ b/evtx/Maps/System_1.map
@@ -1,8 +1,8 @@
 Author: Eric Zimmerman
 Description: Sleep/wake events
 EventId: 1
-Channel: "System"
-Provider: "Microsoft-Windows-Power-Troubleshooter"
+Channel: System
+Provider: Microsoft-Windows-Power-Troubleshooter
 Maps: 
   - 
     Property: PayloadData1
diff --git a/evtx/Maps/System_10000.map b/evtx/Maps/System_10000.map
index cabf8d31..74d68681 100644
--- a/evtx/Maps/System_10000.map
+++ b/evtx/Maps/System_10000.map
@@ -3,6 +3,7 @@ Description: Device driver was installed. (Device was connected.)
 EventId: 10000
 Channel: "System"
 Provider: "Microsoft-Windows-DriverFrameworks-UserMode"
+Provider: Microsoft-Windows-DriverFrameworks-UserMode
 Maps:
   -
     Property: PayloadData1
diff --git a/evtx/Maps/System_12.map b/evtx/Maps/System_12.map
index 447c4dd9..b1accc62 100644
--- a/evtx/Maps/System_12.map
+++ b/evtx/Maps/System_12.map
@@ -1,8 +1,8 @@
 Author: Hyun Yi @hyuunnn
 Description: OS was started.
 EventId: 12
-Channel: "System"
-Provider: "Microsoft-Windows-Kernel-General"
+Channel: System
+Provider: Microsoft-Windows-Kernel-General
 Maps:
   -
     Property: PayloadData1
diff --git a/evtx/Maps/System_13.map b/evtx/Maps/System_13.map
index b273d6b5..f3e866f2 100644
--- a/evtx/Maps/System_13.map
+++ b/evtx/Maps/System_13.map
@@ -1,8 +1,8 @@
 Author: Hyun Yi @hyuunnn
 Description: OS was shutdown.
 EventId: 13
-Channel: "System"
-Provider: "Microsoft-Windows-Kernel-General"
+Channel: System
+Provider: Microsoft-Windows-Kernel-General
 Maps:
   -
     Property: PayloadData1
diff --git a/evtx/Maps/System_42.map b/evtx/Maps/System_42.map
index 04f1d3df..5f3ad771 100644
--- a/evtx/Maps/System_42.map
+++ b/evtx/Maps/System_42.map
@@ -1,7 +1,8 @@
 Author: Eric Zimmerman
 Description: Sleep/wake events
 EventId: 42
-Channel: "System"
+Channel: System
+Provider: Microsoft-Windows-Kernel-Power
 Maps: 
   - 
     Property: PayloadData1
diff --git a/evtx/Maps/System_6005.map b/evtx/Maps/System_6005.map
index ad9438ac..def9b5f3 100644
--- a/evtx/Maps/System_6005.map
+++ b/evtx/Maps/System_6005.map
@@ -2,6 +2,7 @@ Author: Barrie Hill barrie0482@gmail.com
 Description: The Event log service was started
 EventId: 6005
 Channel: System
+Provider: EventLog
 Maps: 
   - 
     Property: PayloadData1
diff --git a/evtx/Maps/System_6006.map b/evtx/Maps/System_6006.map
index 192afab1..a9111587 100644
--- a/evtx/Maps/System_6006.map
+++ b/evtx/Maps/System_6006.map
@@ -2,6 +2,7 @@ Author: Barrie Hill barrie0482@gmail.com
 Description: The Event log service was stopped
 EventId: 6006
 Channel: System
+Provider: EventLog
 Maps: 
   - 
     Property: PayloadData1
diff --git a/evtx/Maps/System_6008.map b/evtx/Maps/System_6008.map
index 9be55e4d..03489ea3 100644
--- a/evtx/Maps/System_6008.map
+++ b/evtx/Maps/System_6008.map
@@ -1,7 +1,8 @@
 Author: Hyun Yi @hyuunnn
 Description: Unexpected system shutdown
 EventId: 6008
-Channel: "System"
+Channel: System
+Provider: EventLog
 Maps:
   -
     Property: PayloadData1
@@ -12,7 +13,11 @@ Maps:
         Value: "/Event/EventData/Data"
         
 # Valid properties include:
-
+# UserName
+# RemoteHost
+# ExecutableInfo --> used for things like process command line, scheduled task, info from service install, etc.
+# PayloadData1 through PayloadData6
+#
 # <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
 #   <System>
 #     <Provider Name="EventLog" /> 
diff --git a/evtx/Maps/System_6013.map b/evtx/Maps/System_6013.map
index c0d1124c..d456a777 100644
--- a/evtx/Maps/System_6013.map
+++ b/evtx/Maps/System_6013.map
@@ -2,6 +2,7 @@ Author: Gabriele Zambelli @gazambelli
 Description: System uptime
 EventId: 6013
 Channel: System
+Provider: EventLog
 Maps: 
   - 
     Property: PayloadData1
diff --git a/evtx/Maps/System_7034.map b/evtx/Maps/System_7034.map
index 8e06bb38..2c3fdb4f 100644
--- a/evtx/Maps/System_7034.map
+++ b/evtx/Maps/System_7034.map
@@ -2,6 +2,7 @@ Author: Eric Zimmerman saericzimmerman@gmail.com
 Description: Service crashed unexpectedly
 EventId: 7034
 Channel: System
+Provider: Service Control Manager
 Maps: 
   - 
     Property: PayloadData1
diff --git a/evtx/Maps/System_7035.map b/evtx/Maps/System_7035.map
index e0cedc76..b025071c 100644
--- a/evtx/Maps/System_7035.map
+++ b/evtx/Maps/System_7035.map
@@ -2,6 +2,7 @@ Author: Eric Zimmerman saericzimmerman@gmail.com
 Description: Service sent a Start/Stop control
 EventId: 7035
 Channel: System
+Provider: Service Control Manager
 Maps: 
   - 
     Property: PayloadData1
diff --git a/evtx/Maps/System_7036.map b/evtx/Maps/System_7036.map
index 2f7ab802..a9172a6e 100644
--- a/evtx/Maps/System_7036.map
+++ b/evtx/Maps/System_7036.map
@@ -2,6 +2,7 @@ Author: Eric Zimmerman saericzimmerman@gmail.com
 Description: Service started or stopped
 EventId: 7036
 Channel: System
+Provider: Service Control Manager
 Maps: 
   - 
     Property: PayloadData1
diff --git a/evtx/Maps/System_7045.map b/evtx/Maps/System_7045.map
index 8543728b..7fd7d0ab 100644
--- a/evtx/Maps/System_7045.map
+++ b/evtx/Maps/System_7045.map
@@ -2,6 +2,7 @@ Author: Eric Zimmerman saericzimmerman@gmail.com
 Description: A new service was installed in the system
 EventId: 7045
 Channel: System
+Provider: Service Control Manager
 Maps: 
   - 
     Property: PayloadData1
diff --git a/evtx/Maps/WindowsDefender_1000.map b/evtx/Maps/WindowsDefender_1000.map
index 83a5e332..d23d51fd 100644
--- a/evtx/Maps/WindowsDefender_1000.map
+++ b/evtx/Maps/WindowsDefender_1000.map
@@ -2,6 +2,7 @@ Author: Troy Larson
 Description: Scan has started.
 EventId: 1000
 Channel: Microsoft-Windows-Windows Defender/Operational
+Provider: Microsoft-Windows-Windows Defender
 Maps: 
   - 
     Property: UserName
diff --git a/evtx/Maps/WindowsDefender_1001.map b/evtx/Maps/WindowsDefender_1001.map
index 4b8e3679..bc3bdd02 100644
--- a/evtx/Maps/WindowsDefender_1001.map
+++ b/evtx/Maps/WindowsDefender_1001.map
@@ -2,6 +2,7 @@ Author: Troy Larson
 Description: Scan has finished.
 EventId: 1001
 Channel: Microsoft-Windows-Windows Defender/Operational
+Provider: Microsoft-Windows-Windows Defender
 Maps: 
   - 
     Property: UserName
diff --git a/evtx/Maps/WindowsDefender_1002.map b/evtx/Maps/WindowsDefender_1002.map
index 693860ce..6c72c27a 100644
--- a/evtx/Maps/WindowsDefender_1002.map
+++ b/evtx/Maps/WindowsDefender_1002.map
@@ -2,6 +2,7 @@ Author: Troy Larson
 Description: Warning - Scan stopped before completion.
 EventId: 1002
 Channel: Microsoft-Windows-Windows Defender/Operational
+Provider: Microsoft-Windows-Windows Defender
 Maps: 
   - 
     Property: UserName
diff --git a/evtx/Maps/WindowsDefender_1003.map b/evtx/Maps/WindowsDefender_1003.map
index c514232d..1023d83d 100644
--- a/evtx/Maps/WindowsDefender_1003.map
+++ b/evtx/Maps/WindowsDefender_1003.map
@@ -2,6 +2,7 @@ Author: Troy Larson
 Description: Warning - Scan has been paused.
 EventId: 1003
 Channel: Microsoft-Windows-Windows Defender/Operational
+Provider: Microsoft-Windows-Windows Defender
 Maps: 
   - 
     Property: UserName
diff --git a/evtx/Maps/WindowsDefender_1004.map b/evtx/Maps/WindowsDefender_1004.map
index f74b3824..83871b07 100644
--- a/evtx/Maps/WindowsDefender_1004.map
+++ b/evtx/Maps/WindowsDefender_1004.map
@@ -2,6 +2,7 @@ Author: Troy Larson
 Description: Scan has resumed.
 EventId: 1004
 Channel: Microsoft-Windows-Windows Defender/Operational
+Provider: Microsoft-Windows-Windows Defender
 Maps: 
   - 
     Property: UserName
diff --git a/evtx/Maps/WindowsDefender_1005.map b/evtx/Maps/WindowsDefender_1005.map
index b2b77908..7c159c4c 100644
--- a/evtx/Maps/WindowsDefender_1005.map
+++ b/evtx/Maps/WindowsDefender_1005.map
@@ -2,6 +2,7 @@ Author: Troy Larson
 Description: Error - Scan has encountered an error and terminated.
 EventId: 1005
 Channel: Microsoft-Windows-Windows Defender/Operational
+Provider: Microsoft-Windows-Windows Defender
 Maps: 
   - 
     Property: UserName
diff --git a/evtx/Maps/WindowsDefender_1006.map b/evtx/Maps/WindowsDefender_1006.map
index a647cd23..a0abf71e 100644
--- a/evtx/Maps/WindowsDefender_1006.map
+++ b/evtx/Maps/WindowsDefender_1006.map
@@ -2,6 +2,7 @@ Author: Brian MacKenna
 Description:  Found - Malware or Potentially unwanted software.
 EventId: 1006
 Channel: Microsoft-Windows-Windows Defender/Operational
+Provider: Microsoft-Windows-Windows Defender
 Maps: 
   - 
     Property: UserName
diff --git a/evtx/Maps/WindowsDefender_1008.map b/evtx/Maps/WindowsDefender_1008.map
index e9081f63..5da74839 100644
--- a/evtx/Maps/WindowsDefender_1008.map
+++ b/evtx/Maps/WindowsDefender_1008.map
@@ -2,6 +2,7 @@ Author: Brian MacKenna
 Description:  Error when taking action on malware or other potentially unwanted software.
 EventId: 1008
 Channel: Microsoft-Windows-Windows Defender/Operational
+Provider: Microsoft-Windows-Windows Defender
 Maps: 
   - 
     Property: UserName
diff --git a/evtx/Maps/WindowsDefender_1011.map b/evtx/Maps/WindowsDefender_1011.map
index bdbea8c6..15d5cd0c 100644
--- a/evtx/Maps/WindowsDefender_1011.map
+++ b/evtx/Maps/WindowsDefender_1011.map
@@ -2,6 +2,7 @@ Author: Troy Larson
 Description: Defender has deleted an item from quarantine.
 EventId: 1011
 Channel: Microsoft-Windows-Windows Defender/Operational
+Provider: Microsoft-Windows-Windows Defender
 Maps: 
   - 
     Property: UserName
diff --git a/evtx/Maps/WindowsDefender_1013.map b/evtx/Maps/WindowsDefender_1013.map
index 1e72c72b..2fae6ce0 100644
--- a/evtx/Maps/WindowsDefender_1013.map
+++ b/evtx/Maps/WindowsDefender_1013.map
@@ -2,6 +2,7 @@ Author: Troy Larson
 Description: Defender removed history of malware.
 EventId: 1013
 Channel: Microsoft-Windows-Windows Defender/Operational
+Provider: Microsoft-Windows-Windows Defender
 Maps: 
   - 
     Property: UserName
diff --git a/evtx/Maps/WindowsDefender_1116.map b/evtx/Maps/WindowsDefender_1116.map
index 29dd0abd..7aeaa65a 100644
--- a/evtx/Maps/WindowsDefender_1116.map
+++ b/evtx/Maps/WindowsDefender_1116.map
@@ -2,6 +2,7 @@ Author: Troy Larson
 Description: Detection - malware or other potentially unwanted software.
 EventId: 1116
 Channel: Microsoft-Windows-Windows Defender/Operational
+Provider: Microsoft-Windows-Windows Defender
 Maps: 
   - 
     Property: UserName
diff --git a/evtx/Maps/WindowsDefender_1117.map b/evtx/Maps/WindowsDefender_1117.map
index 6fd2dcbd..53acb231 100644
--- a/evtx/Maps/WindowsDefender_1117.map
+++ b/evtx/Maps/WindowsDefender_1117.map
@@ -2,6 +2,7 @@ Author: Troy Larson
 Description: Detection - taken action to protect this machine from malware or other potentially unwanted software.
 EventId: 1117
 Channel: Microsoft-Windows-Windows Defender/Operational
+Provider: Microsoft-Windows-Windows Defender
 Maps: 
   - 
     Property: UserName
diff --git a/evtx/Maps/WindowsDefender_1150.map b/evtx/Maps/WindowsDefender_1150.map
index 96c98ef5..0a73f034 100644
--- a/evtx/Maps/WindowsDefender_1150.map
+++ b/evtx/Maps/WindowsDefender_1150.map
@@ -2,6 +2,7 @@ Author: Troy Larson
 Description: Defender is up and running in a healthy state.
 EventId: 1150
 Channel: Microsoft-Windows-Windows Defender/Operational
+Provider: Microsoft-Windows-Windows Defender
 Maps: 
   - 
     Property: PayloadData1
diff --git a/evtx/Maps/WindowsDefender_5000.map b/evtx/Maps/WindowsDefender_5000.map
index a1ea7a48..d1effe5c 100644
--- a/evtx/Maps/WindowsDefender_5000.map
+++ b/evtx/Maps/WindowsDefender_5000.map
@@ -2,6 +2,7 @@ Author: Troy Larson
 Description: Real-time Protection was enabled.
 EventId: 5000
 Channel: Microsoft-Windows-Windows Defender/Operational
+Provider: Microsoft-Windows-Windows Defender
 Maps: 
   - 
     Property: PayloadData1
diff --git a/evtx/Maps/WindowsDefender_5001.map b/evtx/Maps/WindowsDefender_5001.map
index f727c785..308c991e 100644
--- a/evtx/Maps/WindowsDefender_5001.map
+++ b/evtx/Maps/WindowsDefender_5001.map
@@ -2,6 +2,7 @@ Author: Troy Larson
 Description: Real-time Protection was disabled.
 EventId: 5001
 Channel: Microsoft-Windows-Windows Defender/Operational
+Provider: Microsoft-Windows-Windows Defender
 Maps: 
   - 
     Property: PayloadData1
diff --git a/evtx/Maps/WindowsDefender_5007.map b/evtx/Maps/WindowsDefender_5007.map
index e02166ec..279b217d 100644
--- a/evtx/Maps/WindowsDefender_5007.map
+++ b/evtx/Maps/WindowsDefender_5007.map
@@ -2,6 +2,7 @@ Author: Troy Larson
 Description: Defender configuration has changed.
 EventId: 5007
 Channel: Microsoft-Windows-Windows Defender/Operational
+Provider: Microsoft-Windows-Windows Defender
 Maps: 
   - 
     Property: PayloadData1
diff --git a/evtx/Maps/Windows_Powershell_400.map b/evtx/Maps/Windows_Powershell_400.map
index 7256a366..42a3e385 100644
--- a/evtx/Maps/Windows_Powershell_400.map
+++ b/evtx/Maps/Windows_Powershell_400.map
@@ -2,6 +2,7 @@ Author: Brian MacKenna
 Description: Engine state is changed from None to Available.
 EventId: 400
 Channel: Windows PowerShell
+Provider: PowerShell
 Maps: 
   - 
     Property: PayloadData1
diff --git a/evtx/Maps/Windows_Powershell_403.map b/evtx/Maps/Windows_Powershell_403.map
index c67d5647..118acd71 100644
--- a/evtx/Maps/Windows_Powershell_403.map
+++ b/evtx/Maps/Windows_Powershell_403.map
@@ -2,6 +2,7 @@ Author: Brian MacKenna
 Description: Engine state is changed from Available to Stopped.
 EventId: 403
 Channel: Windows PowerShell
+Provider: PowerShell
 Maps: 
   - 
     Property: PayloadData1
diff --git a/evtx/Maps/Windows_Powershell_600.map b/evtx/Maps/Windows_Powershell_600.map
index 0e9d3b9a..f2425ddd 100644
--- a/evtx/Maps/Windows_Powershell_600.map
+++ b/evtx/Maps/Windows_Powershell_600.map
@@ -2,6 +2,7 @@ Author: Brian MacKenna
 Description: Provider is Started. 
 EventId: 600
 Channel: Windows PowerShell
+Provider: PowerShell
 Maps: 
   - 
     Property: PayloadData1